[OpenID] OpenID based on email addresses... Just Works!

Chris Messina chris.messina at gmail.com
Thu Oct 30 13:10:39 UTC 2008 

On Thu, Oct 30, 2008 at 11:37 PM, Andrew Arnott <andrewarnott at gmail.com> wrote:
> I'm surprised no one has brought this up, but remember that having people
> log into RPs using their email address is giving away a very personal bit of
> information that I'd like to hide more than give away.  On another thread
> concern was expressed over allowing OpenID to accidentally reveal the
> preferred language of a user.  Well to me I think email address is far more
> concerning.

This has been brought up. Points to consider:

1. you would still be able to use a URL-based identifier even if email
addresses were permissible OpenID identifiers.
2. the spec would not force anyone to use an email address as their identifier
3. as I've stated repeatedly, many RPs require a valid email to
proceed with sign up anyway, something I call "OpenID double
registration taxation"
4. It's up to your OP to offer information beyond the claimed
identifier. That doesn't mean that an RP won't require more
information (i.e. agreeing to a TOS, providing a birthdate) to proceed
5. a vast majority of people online identify themselves to services
with their email addresses and are accustomed to typing their email
address into sign in boxes. I have video of someone trying to sign in
to Basecamp with their Yahoo OpenID -- the first thing they did was
enter their email address, which, at the time, failed (Basecamp only
supports OpenID 1.0).
6. There's really no reason to prohibit those who would *choose* to
use their email address as their identifier from doing so. You may
choose not to; someone else might feel that the convenience is worth
trading away a piece of personal data.
7. email addresses are in wide and common use in account systems
already. Forcing RPs to move immediately to identifying people by URLs
seems like a steep and painful adoption curve.

Bottom line: enabling email addresses as OpenIDs doesn't change the
situation for people who want to use URLs as their identifiers. It
enables a more convenient way to make use of the protocol and reduces
the need for creating new passwords with RPs.


> Of course an RP may want an email address and AX or SREG is a great way to
> get it, but that's always the user's decision while at the OP or later at
> the RP, and isn't a mandatory step to even initiate the login process.

And again, it wouldn't change with the proposed change.

Chris


> On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie <benl at google.com> wrote:
>>
>> On Thu, Oct 30, 2008 at 7:07 AM, Chris Messina <chris.messina at gmail.com>
>> wrote:
>> > On Thu, Oct 30, 2008 at 4:14 PM, David Recordon <drecordon at sixapart.com>
>> > wrote:
>> >> Can you use POBox.com with david at yahoo.com?  For the added complexity I
>> >> just
>> >> don't think it's worth it considering you already can't delegate your
>> >> email.
>> >>  If you control the domain then you can choose your Provider, otherwise
>> >> you're at the mercy of who controls the domain.  Don't like it, then
>> >> don't
>> >> use your Yahoo account as your OpenID.  IMHO.
>> >> --David
>> >
>> > I'm coming around to this perspective.
>> >
>> > While maximal flexibility would be ideal for "delegating email
>> > addresses", I'm willing to compromise to find the simplest, easiest,
>> > quickest and least costliest path to adoption.
>> >
>> > While the mapping concept is a worthwhile one technologically, I think
>> > that trying to push all the freedoms that you get with URL-based
>> > OpenIDs into email addresses could be a losing proposition.
>> >
>> > If we can support email addresses with maximal flexibility with
>> > minimal costs, great, but from what I've seen of how changes actually
>> > get made, changing the OpenID spec as little as possible is the best
>> > way forward.
>> >
>> > It sounds like the OpenID.identity approach might be the best way to
>> > make this happen, pronto, without mucking with DNS and so on.
>>
>> What is "the OpenID.identity approach"?
>>
>> > Remember, email addresses today aren't really explicitly supported by
>> > the spec; the goal should be to make that a possibility with as little
>> > effort as possible.
>>
>> It seems to me that there's a couple of things to consider:
>>
>> 1. Often the RP actually wants an email address, because it wants to
>> be able to communicate with the user. This can be solved with AX, of
>> course _but_ I suspect users will be confused by having to give an
>> "email address" that isn't actually their email address.
>>
>> 2. It seems that its possible to do a pretty good job with just the
>> domain - the email address is just a way to get the user to tell you
>> what the domain is so discovery can start.
>>
>> Obviously discovery is a prerequisite, though.
>>
>> >
>> > Chris
>> >
>> > --
>> > Chris Messina
>> > Citizen-Participant &
>> >  Open Technology Advocate-at-Large
>> > factoryjoe.com # diso-project.org
>> > citizenagency.com # vidoop.com
>> > This email is:   [ ] bloggable    [X] ask first   [ ] private
>> > _______________________________________________
>> > general mailing list
>> > general at openid.net
>> > http://openid.net/mailman/listinfo/general
>> >
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
>



-- 
Chris Messina
Citizen-Participant &
  Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list