[OpenID] OpenID and Friendfeed

[SitG Admin]

>If the user signs in with an OP that shares email address, the RP 
>can determine if it already has an account with the same email 
>address, and offer to merge to accounts.

Scenario: I use an untrusted OP to vouch for my E-mail address, let's 
say "atom at yahoo-inc.com" - because my OP isn't trusted to vouch for 
E-mail addresses, it will require me to demonstrate an ability to 
receive mail at that address. But first, because it recognizes that 
address, it says "Hey we just detected that you (Allen Tom) already 
have an account here with username Anonymous1234; would you like to 
merge them?"

Automatic account lookup based on E-mail address. Not just "does 
someone with this E-mail address have an account at this site", but 
*which* account, too.

>If not, the user is really a new user, and should probably bypass 
>the account merging step.

Account merging should be available from account management when 
logged in, for users that have given a different E-mail address to 
their OP's.

>This could get hairy if they happen to be different people, and the 
>OP had a stale or incorrect email address.

There are no generation fragments for E-mail addresses. Eventual 
expiry for E-mail addresses that are not re-verified? Some providers 
hold onto old addresses forever, gradually reducing their available 
namespace; others recycle them after a year or so, want to think 
about all the old accounts you still have laying around someplace on 
the internet, accounts that are just waiting for their last-known 
E-mail address to be reactivated?

-Shade