[OpenID] OpenID based on email addresses... Just Works!

Andrew Arnott andrewarnott at gmail.com
Thu Oct 30 12:37:00 UTC 2008 

I'm surprised no one has brought this up, but remember that having people
log into RPs using their email address is giving away a very personal bit of
information that I'd like to hide more than give away.  On another thread
concern was expressed over allowing OpenID to accidentally reveal the
preferred language of a user.  Well to me I think email address is far more
concerning.
Of course an RP may want an email address and AX or SREG is a great way to
get it, but that's always the user's decision while at the OP or later at
the RP, and isn't a mandatory step to even initiate the login process.

On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie <benl at google.com> wrote:

> On Thu, Oct 30, 2008 at 7:07 AM, Chris Messina <chris.messina at gmail.com>
> wrote:
> > On Thu, Oct 30, 2008 at 4:14 PM, David Recordon <drecordon at sixapart.com>
> wrote:
> >> Can you use POBox.com with david at yahoo.com?  For the added complexity I
> just
> >> don't think it's worth it considering you already can't delegate your
> email.
> >>  If you control the domain then you can choose your Provider, otherwise
> >> you're at the mercy of who controls the domain.  Don't like it, then
> don't
> >> use your Yahoo account as your OpenID.  IMHO.
> >> --David
> >
> > I'm coming around to this perspective.
> >
> > While maximal flexibility would be ideal for "delegating email
> > addresses", I'm willing to compromise to find the simplest, easiest,
> > quickest and least costliest path to adoption.
> >
> > While the mapping concept is a worthwhile one technologically, I think
> > that trying to push all the freedoms that you get with URL-based
> > OpenIDs into email addresses could be a losing proposition.
> >
> > If we can support email addresses with maximal flexibility with
> > minimal costs, great, but from what I've seen of how changes actually
> > get made, changing the OpenID spec as little as possible is the best
> > way forward.
> >
> > It sounds like the OpenID.identity approach might be the best way to
> > make this happen, pronto, without mucking with DNS and so on.
>
> What is "the OpenID.identity approach"?
>
> > Remember, email addresses today aren't really explicitly supported by
> > the spec; the goal should be to make that a possibility with as little
> > effort as possible.
>
> It seems to me that there's a couple of things to consider:
>
> 1. Often the RP actually wants an email address, because it wants to
> be able to communicate with the user. This can be solved with AX, of
> course _but_ I suspect users will be confused by having to give an
> "email address" that isn't actually their email address.
>
> 2. It seems that its possible to do a pretty good job with just the
> domain - the email address is just a way to get the user to tell you
> what the domain is so discovery can start.
>
> Obviously discovery is a prerequisite, though.
>
> >
> > Chris
> >
> > --
> > Chris Messina
> > Citizen-Participant &
> >  Open Technology Advocate-at-Large
> > factoryjoe.com # diso-project.org
> > citizenagency.com # vidoop.com
> > This email is:   [ ] bloggable    [X] ask first   [ ] private
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081030/672b6d46/attachment-0002.htm>

More information about the general mailing list