[OpenID] OpenID based on email addresses... Just Works!

David Fuelling sappenin at gmail.com
Thu Oct 30 15:20:38 UTC 2008 

+1.

On Thu, Oct 30, 2008 at 1:10 PM, Chris Messina <chris.messina at gmail.com>wrote:

> On Thu, Oct 30, 2008 at 11:37 PM, Andrew Arnott <andrewarnott at gmail.com>
> wrote:
> > I'm surprised no one has brought this up, but remember that having people
> > log into RPs using their email address is giving away a very personal bit
> of
> > information that I'd like to hide more than give away.  On another thread
> > concern was expressed over allowing OpenID to accidentally reveal the
> > preferred language of a user.  Well to me I think email address is far
> more
> > concerning.
>
> This has been brought up. Points to consider:
>
> 1. you would still be able to use a URL-based identifier even if email
> addresses were permissible OpenID identifiers.
> 2. the spec would not force anyone to use an email address as their
> identifier
> 3. as I've stated repeatedly, many RPs require a valid email to
> proceed with sign up anyway, something I call "OpenID double
> registration taxation"
> 4. It's up to your OP to offer information beyond the claimed
> identifier. That doesn't mean that an RP won't require more
> information (i.e. agreeing to a TOS, providing a birthdate) to proceed
> 5. a vast majority of people online identify themselves to services
> with their email addresses and are accustomed to typing their email
> address into sign in boxes. I have video of someone trying to sign in
> to Basecamp with their Yahoo OpenID -- the first thing they did was
> enter their email address, which, at the time, failed (Basecamp only
> supports OpenID 1.0).
> 6. There's really no reason to prohibit those who would *choose* to
> use their email address as their identifier from doing so. You may
> choose not to; someone else might feel that the convenience is worth
> trading away a piece of personal data.
> 7. email addresses are in wide and common use in account systems
> already. Forcing RPs to move immediately to identifying people by URLs
> seems like a steep and painful adoption curve.
>
> Bottom line: enabling email addresses as OpenIDs doesn't change the
> situation for people who want to use URLs as their identifiers. It
> enables a more convenient way to make use of the protocol and reduces
> the need for creating new passwords with RPs.
>
>
> > Of course an RP may want an email address and AX or SREG is a great way
> to
> > get it, but that's always the user's decision while at the OP or later at
> > the RP, and isn't a mandatory step to even initiate the login process.
>
> And again, it wouldn't change with the proposed change.
>
> Chris
>
>
> > On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie <benl at google.com> wrote:
> >>
> >> On Thu, Oct 30, 2008 at 7:07 AM, Chris Messina <chris.messina at gmail.com
> >
> >> wrote:
> >> > On Thu, Oct 30, 2008 at 4:14 PM, David Recordon <
> drecordon at sixapart.com>
> >> > wrote:
> >> >> Can you use POBox.com with david at yahoo.com?  For the added
> complexity I
> >> >> just
> >> >> don't think it's worth it considering you already can't delegate your
> >> >> email.
> >> >>  If you control the domain then you can choose your Provider,
> otherwise
> >> >> you're at the mercy of who controls the domain.  Don't like it, then
> >> >> don't
> >> >> use your Yahoo account as your OpenID.  IMHO.
> >> >> --David
> >> >
> >> > I'm coming around to this perspective.
> >> >
> >> > While maximal flexibility would be ideal for "delegating email
> >> > addresses", I'm willing to compromise to find the simplest, easiest,
> >> > quickest and least costliest path to adoption.
> >> >
> >> > While the mapping concept is a worthwhile one technologically, I think
> >> > that trying to push all the freedoms that you get with URL-based
> >> > OpenIDs into email addresses could be a losing proposition.
> >> >
> >> > If we can support email addresses with maximal flexibility with
> >> > minimal costs, great, but from what I've seen of how changes actually
> >> > get made, changing the OpenID spec as little as possible is the best
> >> > way forward.
> >> >
> >> > It sounds like the OpenID.identity approach might be the best way to
> >> > make this happen, pronto, without mucking with DNS and so on.
> >>
> >> What is "the OpenID.identity approach"?
> >>
> >> > Remember, email addresses today aren't really explicitly supported by
> >> > the spec; the goal should be to make that a possibility with as little
> >> > effort as possible.
> >>
> >> It seems to me that there's a couple of things to consider:
> >>
> >> 1. Often the RP actually wants an email address, because it wants to
> >> be able to communicate with the user. This can be solved with AX, of
> >> course _but_ I suspect users will be confused by having to give an
> >> "email address" that isn't actually their email address.
> >>
> >> 2. It seems that its possible to do a pretty good job with just the
> >> domain - the email address is just a way to get the user to tell you
> >> what the domain is so discovery can start.
> >>
> >> Obviously discovery is a prerequisite, though.
> >>
> >> >
> >> > Chris
> >> >
> >> > --
> >> > Chris Messina
> >> > Citizen-Participant &
> >> >  Open Technology Advocate-at-Large
> >> > factoryjoe.com # diso-project.org
> >> > citizenagency.com # vidoop.com
> >> > This email is:   [ ] bloggable    [X] ask first   [ ] private
> >> > _______________________________________________
> >> > general mailing list
> >> > general at openid.net
> >> > http://openid.net/mailman/listinfo/general
> >> >
> >> _______________________________________________
> >> general mailing list
> >> general at openid.net
> >> http://openid.net/mailman/listinfo/general
> >
> >
>
>
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Technology Advocate-at-Large
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081030/a70dd1f6/attachment-0002.htm>

More information about the general mailing list