[OpenID] OpenID based on email addresses... Just Works!

Ben Laurie benl at google.com
Thu Oct 30 12:57:36 UTC 2008 

On Thu, Oct 30, 2008 at 12:56 PM, Steven Livingstone-Perez
<weblivz at hotmail.com> wrote:
> I also find it odd as I'd quite like to have a durable identifier, but not
> only do I have multiple emails, I tend to change emails relatively often and
> I'm happy to share it using AX/SREG if/when I wish.
>
>
>
> Be interested in how an OpenID using my email as a primary identifier would
> work if I wanted to change it.

How does OpenID using anything as your primary identifier work if you
want to change it?

>
>
>
> I do like an email account being used to discover an OpenID right enough, if
> every email mapped to an openid – user at domain.com -> user.domain.com or
> domain.com/user – from what I can see it doesn't even need to be a real
> email address… so long as the mapping can be done.
>
>
>
> From what I have read you're really just talking about making it easier for
> the user to enter an OpenID rather than changing how it works…. I mean
> surely entering weblivz at hotmail.com can easily map to an OpenID
> weblivz.hotmail.com
>
>
>
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Andrew Arnott
> Sent: 30 October 2008 12:37
> To: Ben Laurie
> Cc: david at sixapart.com; OpenID List
> Subject: Re: [OpenID] OpenID based on email addresses... Just Works!
>
>
>
> I'm surprised no one has brought this up, but remember that having people
> log into RPs using their email address is giving away a very personal bit of
> information that I'd like to hide more than give away.  On another thread
> concern was expressed over allowing OpenID to accidentally reveal the
> preferred language of a user.  Well to me I think email address is far more
> concerning.
>
>
>
> Of course an RP may want an email address and AX or SREG is a great way to
> get it, but that's always the user's decision while at the OP or later at
> the RP, and isn't a mandatory step to even initiate the login process.
>
> On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie <benl at google.com> wrote:
>
> On Thu, Oct 30, 2008 at 7:07 AM, Chris Messina <chris.messina at gmail.com>
> wrote:
>> On Thu, Oct 30, 2008 at 4:14 PM, David Recordon <drecordon at sixapart.com>
>> wrote:
>>> Can you use POBox.com with david at yahoo.com?  For the added complexity I
>>> just
>>> don't think it's worth it considering you already can't delegate your
>>> email.
>>>  If you control the domain then you can choose your Provider, otherwise
>>> you're at the mercy of who controls the domain.  Don't like it, then
>>> don't
>>> use your Yahoo account as your OpenID.  IMHO.
>>> --David
>>
>> I'm coming around to this perspective.
>>
>> While maximal flexibility would be ideal for "delegating email
>> addresses", I'm willing to compromise to find the simplest, easiest,
>> quickest and least costliest path to adoption.
>>
>> While the mapping concept is a worthwhile one technologically, I think
>> that trying to push all the freedoms that you get with URL-based
>> OpenIDs into email addresses could be a losing proposition.
>>
>> If we can support email addresses with maximal flexibility with
>> minimal costs, great, but from what I've seen of how changes actually
>> get made, changing the OpenID spec as little as possible is the best
>> way forward.
>>
>> It sounds like the OpenID.identity approach might be the best way to
>> make this happen, pronto, without mucking with DNS and so on.
>
> What is "the OpenID.identity approach"?
>
>> Remember, email addresses today aren't really explicitly supported by
>> the spec; the goal should be to make that a possibility with as little
>> effort as possible.
>
> It seems to me that there's a couple of things to consider:
>
> 1. Often the RP actually wants an email address, because it wants to
> be able to communicate with the user. This can be solved with AX, of
> course _but_ I suspect users will be confused by having to give an
> "email address" that isn't actually their email address.
>
> 2. It seems that its possible to do a pretty good job with just the
> domain - the email address is just a way to get the user to tell you
> what the domain is so discovery can start.
>
> Obviously discovery is a prerequisite, though.
>
>>
>> Chris
>>
>> --
>> Chris Messina
>> Citizen-Participant &
>>  Open Technology Advocate-at-Large
>> factoryjoe.com # diso-project.org
>> citizenagency.com # vidoop.com
>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list