[OpenID] Your OpenID is destined to be your email address

Martin Paljak martin at paljak.pri.ee
Mon Mar 30 13:21:54 UTC 2009 

Actually I'd like to see some disposable e-mail provider set up a  
disposable OpenID provider which would provide a "verified" e-mail  
with OpenID responses. Something like mailinator.com + http://www.jkg.in/openid/ 
  (now defunct)

Mechanisms for verifying ownership of e-mail addresses or functioning  
of e-mail addresses can vary as well. There must not be a direct  
relationship between a verified e-mail address and an OpenID.

For example, in Estonia we have a thing called "@eesti.ee e-mail  
address"  (read more http://www.id.ee/?id=11110&&langchange=1 ) which  
is a forwarding service provided by the government IT infrastructure.  
You can reach me on martin.paljak at eesti.ee for example. The connection  
between me and this e-mail address is very "hard coded" and verified,  
so I could say that openid.ee, the OpenID service we run in Estonia,  
provides *verified e-mail addresses* only. Not all people have the  
forwarding configured (meaning you can't reach the owner via this e- 
mail) but the fact that I own the address is verified. But sometimes  
I'd like to use some other e-mail address with the same OpenID, like martin at paljak.pri.ee 
. My OP, openid.ee, and my e-mail address would have no relation then.  
We could say that my OP, openid.ee, sets up a policy of validating e- 
mail addresses before we associate them with users, but that's out of  
the scope of OpenID. It would be a peer-to-peer trust decision done by  
the RP towards a specific OP "I trust that this OP gives out verified  
e-mail addresses" and possibly decides NOT to do the independent  
verification of the reachability of the e-mail address.

If I was a RP and my operations relied on verified e-mail addresses, I  
would in any case independently verify the reach-ability of e-mail  
addresses.

What does make sense is e-mail based discovery (which is being worked  
on) and the assumption that the e-mail used in such a transaction is a  
real and usable e-mail address.

m.

On 30.03.2009, at 13:43, santrajan wrote:

>
> If you have read my articles, nowhere have I stated the your email  
> address or
> any other information is provided without your determination. Let me  
> make
> this clear. The OP provides the email to the RP only after asking  
> the user.
> And your arguments are exactly what the proponents of OpenId have put
> forward for the last two years, and OpenID hasnt reached anywhere,  
> has it?
>
>
> William J. Coldwell-2 wrote:
>>
>> I read both of your articles on OpenID, and I have no confidence in
>> what you've
>> stated.  I do not want my OpenID tied to any specific email, or other
>> information
>> that would be provided automatically without my determination (e.g.,
>> verisignlabs).
>>
>> Email addresses can change (ISP goes under, user forgets email
>> password, whatever),
>> and any tool that gives spammers more fodder is never good.
>>
>> --Cryo
>>
>>
>>
>>
>
> -- 
> View this message in context: http://www.nabble.com/Re%3A-The-Various-Methods-For-%22user%40domain.com%22-Style-Identifiers-tp22651519p22780495.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495

More information about the general mailing list