[OpenID] Your OpenID is destined to be your email address

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Mar 30 11:20:42 UTC 2009 

On 03/30/2009 12:52 PM, santrajan:
>
>
> Eddy Nigg (StartCom Ltd.) wrote:
>    
>>
>> Why does anyone want to have the email address verified when receiving
>> an assertion about the authentication from the OpenID provider? This is
>> beyond me...
>>
>>
>>      
> Thats exactly the point I am making. If the email does not come with the
> assertion about the authentication, a site that needs the email address to
> provide a service to the user will not be able to use OpenID.
>    

Historically the email address confirmation is/was done by site 
operators in order to prevent spam comments and make reasonable sure 
that it's a real person behind the user. Obviously this was long time 
ago exploited by spammers...then site operators added CAPTCHA's in 
addition to the email verification...this too has already been exploited 
by spammers.

OpenID provides an assertion that there is a user associated with the 
respective ID. If and which hops and jumps a user must undergo before 
receiving an account varies from provider to provider. For general 
information including email addresses RPs can request them via SREG. 
Users may allow the disclosure of the email address (if they think the 
site needs it really).

Having said that, OpenID is subject to be exploited at some point by 
(comment) spammers as well. Some providers can be easily exploited and 
used for (comment) spamming already today (not to be confused with email 
spam). I expect site operators will also realize at some point which 
OpenID providers provide a higher value to them than others.


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090330/050af08f/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090330/050af08f/attachment-0002.bin>

More information about the general mailing list