[OpenID] Your OpenID is destined to be your email address

[SitG Admin]

At 2:52 AM -0700 3/30/09, santrajan wrote:
>Eddy Nigg (StartCom Ltd.) wrote:
>>  Why does anyone want to have the email address verified when receiving
>>  an assertion about the authentication from the OpenID provider? This is
>>  beyond me...
>
>Thats exactly the point I am making. If the email does not come with the
>assertion about the authentication, a site that needs the email address to
>provide a service to the user will not be able to use OpenID.

Traditional (username/password) authentication does not tell me the 
user's physical street address, either, but that does not prevent me 
from using traditional authentication to provide appropriate levels 
of security - nor does it prevent me from asking the user for their 
physical street address, directly. (Of course, asking doesn't prevent 
the user from *lying* to me, either. Trust issues.)

At 3:43 AM -0700 3/30/09, santrajan wrote:
>If you have read my articles, nowhere have I stated the your email address or
>any other information is provided without your determination. Let me make
>this clear. The OP provides the email to the RP only after asking the user.

So what happens if the user says "no"?

>And your arguments are exactly what the proponents of OpenId have put
>forward for the last two years, and OpenID hasnt reached anywhere, has it?

That depends on what you mean by "anywhere". You're essentially 
declaring (but not specifying) an arbitrary measurement to be 
authoritative for "anywhere", and then selecting a somewhat less 
arbitrary (but still meaningless) point in OpenID's timeline to 
measure for comparison, and saying that they don't match. (If that 
sentence doesn't make much sense, consider the sentiment mutual ;p)

What we really need to look at is the rate of adoption (strong and 
steadily growing!) over time, and what we really need to compare 
these growing years to is how long *similar* technologies have taken 
to reach *their* "critical mass".

-Shade