[OpenID] The Various Methods For "user at domain.com" Style Identifiers

[Martin Atkins]

Andrew Arnott wrote:
> This comes up periodically.  The last time it did, it ended with: "it
> already works, via directed identity."  If an email address domain name
> supports directed identity, then a user can type his/her own email address,
> and it (becoming equivalent to just the domain name of that email address)
> redirects the user to the OP, where the identifier can be decided on and the
> assertion sent back to the RP.

Of course, a user can also enter some other email address in the same 
domain and have it quietly switch on him when he logs in. That's pretty 
poor UX, and will suck for anyone who shares a computer with someone 
else who uses the same email provider.

This is a specific case of the general problem of "user doesn't actually 
get logged in as what they typed", which is troublesome because the user 
then is left with no idea of what his OpenID identifier actually *is*, 
and is likely to be confused when he's identified as something other 
than what he entered.

(Directed identity gets around this problem by leaving everything 
user-sensitive out of what the user enters, so the question changes from 
"Who are you?" to "Who can tell me who you are?".)