[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

[SitG Admin]

>I assume therefore that when a website wants to validate your email 
>address as per current practice you manually type the URL in the 
>validation email into your web browser on the other computer?

So far they've also offered the option of replying to their 
validation message, but, where they don't, I;

a) type it in as described ;)
b) burn it onto a rewritable CD to transfer
c) fire up Telnet and see if all I need to do is make the request

>What I'm trying to achieve is to simply ask the provider "does this 
>user own this email address?" rather than sending an email and 
>having a user click a link. It sounds to me like this would be 
>especially useful to you since the computer that handles your email 
>would be taken out of the picture completely and you'd just do a 
>normal OpenID "redirect dance" in your browser.

I'm in favor of having authentication that doesn't risk exposing the 
password to my main E-mail service, but how can an alternative work 
without at least *talking to* my main E-mail server? I can't pinpoint 
it, but I think my concern centers around the area of an altered DNS 
entry for my main E-mail server throwing up red flags if altered, 
while the presence or lack of an alternative entry such as you are 
proposing might not be watched (or, if changed, noticed) by all IDS 
systems. What kind of services will accept this secondary (indirect) 
"E-mail" authentication method? What is the level of risk to 
providers that, having never even *heard* of OpenID, must safeguard 
this additional entry type in their DNS?

-Shade