[OpenID] OpenID based on email addresses... Just Works!
David Fuelling
sappenin at gmail.com
Thu Oct 30 18:15:30 UTC 2008
On Thu, Oct 30, 2008 at 5:43 PM, Martin Atkins <martin at atkins.me.uk> wrote:
> David Fuelling wrote:
>
>>
>> So my grandma has a yahoo.com <http://yahoo.com> email address (she
>> doesn't really, but for the sake of illustration). She types '
>> grandma at yahoo.com <mailto:grandma at yahoo.com>' into an RP, and in 2008,
>> she'll use Yahoo.com as her OP. But in 2009 (hypothetically), Yahoo
>> introduces the ability to "link" your email address to any OpenID of your
>> choosing. They setup a control panel to facilitate this, etc. My grandma,
>> being not that sophisticated, will likely continue using Yahoo. But me --
>> I'll be able to now link my yahoo.com <http://yahoo.com> email address to
>> my sappenin.com <http://sappenin.com> OpenID. In 2012 (assume my grandma
>> is kind of young), I go over to her house and say, "Grandma, did you know
>> that if you start using Google.com as your Identity Provider, they'll pay
>> you $1 every time you login to a site, because they're Google and they can
>> do that sort of thing?". My grandma will say something like, "Wow, I use
>> the computer a lot, and that will subsidize my social security -- Thanks
>> Google!". And oh, by the way, since it's 2012, Google has an automated
>> system to do all of this for my Grandma, so she doesn't even need my help to
>> let Google subsidize her social security. She simply switches over her
>> OpenID email mapping/Delegation information.....but retains her email yahoo
>> email address as her "login mechanism".
>>
>>
> Of course, as soon as you change the URL underlying your email address, you
> effectively become a new user on all RPs where you use that email address.
>
> This is exactly the sort of confusion I'm thinking of when I say that
> adding this extra layer of indirection is confusing. I'm still typing in the
> same email address, so why can't I access my account?
>
> I think this is one situation where simpler is better. If there's only one
> identifier in play then you know where you stand.
>
>
>
A good RP would track both the email address and corresponding OpenID, and
would notice that a user is trying to login with a familiar email, but a
different OpenID URL. Email Verification could simply re-correspond the
user to the new OpenID, and Voila -- I have my same account, and I (the
user) didn't even know anything happened because it was all done
automagically.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081030/122ad599/attachment-0002.htm>
More information about the general
mailing list