[OpenID] Your OpenID is destined to be your email address

Andrew Arnott andrewarnott at gmail.com
Mon Mar 30 16:18:53 UTC 2009 

Santrajan,
It sounds like you're missing some important issues around OpenID security,
and I suggest you take a more humble (ask questions rather than make
assumptions and accusations) attitude about it and you'll understand what
everyone else on this list seems to but you.  Either the whole list of
intelligent people is crazy, or you're missing something.  Let me see if I
can help explain to you what I think it is that you're missing.

First of all, your argument that without a verified email address, an OpenID
authentication is worthless...  Here are some reasons I and others on this
list might disagree with your hypothesis:

   1. One of the laws of identity are that you can visit a web site,
   repeatedly, and have the site be sure you are the same person as the last
   time you visited, yet have no idea who you actually are.  Forcing an email
   address would violate this law.  Note I did *not* say a user MUST be able
   to visit that web site.  But a web site that has no need for an email
   address shouldn't demand one of the user.  Your assertion that "any site
   worth its salt" should require an email address is a huge and naive
   assumption.  Sorry.  There are worthwhile sites out there that don't need,
   and have no business knowing, their users' email addresses.
   2. You say that a site that needs a verified email address cannot use
   OpenID.  Why not? You have to back that up!  A site that needs to verify an
   email address is not obstructed from verifying an email address simply
   because it uses OpenID.  Without OpenID, a site establishes a new username
   and password with a new user, asks for an email address, makes the user go
   through the verification loop, and the account is ready.  With OpenID, the
   user logs in with their OpenID, the site asks for the email address, the
   user goes through the verification loop, and the account is ready.  Is there
   added value here?  Absolutely!  The user doesn't have to remember another
   username and password!
   3. Now suppose OpenID did provide an email address (which in fact it does
   through broadly-supported extensions at many OPs and RPs).  How does an RP
   trust that the OP gave an email address that was verified?  The *only* way
   an RP can trust the OP would be for a trust relationship of some kind to
   exist.  In essence, a white list.  An RP must have a list that says that if
   the OpenID assertion came from one of these OPs, then the email they provide
   can be trusted to have already been verified.  OpenID can never evolve to
   remove this restriction because if you don't trust a user to provide a valid
   email address (and therefore must verify it), then you can equally not trust
   a web site hosted by some random unknown user that says that it verified it
   for you.  And if you must have a white list of trusted OPs, then the whole
   system that you demand must exist already does.  Choose your Providers that
   send email addresses and verifies them with their users, and make your RP
   only accept OpenID authentication from those few.  Better yet, accept
   authentication from any OP, and skip the email verification step when the
   user comes from one of those trusted OPs and it provides their email
   address.  This is a win for your users when they qualify themselves by
   picking a trusted OP.
   4. With regard to your "OpenID hasn't gone anywhere".  I'm laughing.  If
   Microsoft, Yahoo and Google picking up support for a technology doesn't
   indicate it is going somewhere, then I don't know what does.  Sure there is
   a lot of progress to be made still in getting sites to become RPs, but there
   are actually more than you may realize already.  If a site accepts a Google
   or Yahoo login today, it may be using OpenID under the covers even if it
   doesn't advertise to the user that it is doing so.  There are some large and
   very useful sites that are OpenID RPs that many people use.

I hope this helps you understand, but if not then that's all I'm going to
say on this thread anyway.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


2009/3/30 santrajan <santrajan at gmail.com>

>
>
>
> Eddy Nigg (StartCom Ltd.) wrote:
> >
> >
> > Why does anyone want to have the email address verified when receiving
> > an assertion about the authentication from the OpenID provider? This is
> > beyond me...
> >
> >
>
> Thats exactly the point I am making. If the email does not come with the
> assertion about the authentication, a site that needs the email address to
> provide a service to the user will not be able to use OpenID.
> --
> View this message in context:
> http://www.nabble.com/Re%3A-The-Various-Methods-For-%22user%40domain.com%22-Style-Identifiers-tp22651519p22779696.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090330/1f9fc563/attachment-0002.htm>

More information about the general mailing list