[OpenID] A Case for OpenEmailID

[SitG Admin]

>Please see my blog post with the same subject.
>http://santrajan.blogspot.com/2009/05/case-for-openemailid.html
>http://santrajan.blogspot.com/2009/05/case-for-openemailid.html

I was glad to see you begin including the text of your blog posts in 
your posts to this list. It's a good sign when someone comes over to 
a group and deigns to talk to them directly; now, though, you're back 
to the impression that you have something so important to say, you 
expect those on this list to switch from E-mail to a browser (ironic, 
since your posts are mainly about OpenID switching from URL-based 
authentication to E-mail) so they can participate in its discussion.

Speaking of irony, keeping the sole copy of your post on your blog 
*so soon after deleting several of your prior posts* seems like an 
invitation for that incident to repeat itself.

If you want to recover the earlier post that you were not fortunate 
enough to have in your mailbox (from posting them to this list), a 
surface-level drive editor (XVI32 for Windows comes to mind) can 
search for cache files from most browsers. (Firefox lets me do nice 
things for my privacy, including, unfortunately for recovery in this 
case, securely wipe my cache files.) Looking at the HTML source for 
your directory and a comments section, Blogspot appears to include a 
full link to the post in both areas - so, if you surround their URL's 
with the quotation marks used around a link, you should be able to 
eliminate most false positives. Here are the two to look for:
http://santrajan.blogspot.com/2009/03/mess-called-openid.html
It may also be possible to recover drafts of that post by searching 
the drive surface for text from the excerpts I quoted earlier:
http://openid.net/pipermail/general/2009-March/008149.html
Perhaps someone else on this list (who viewed your site) can help. 
With a publicly archived list such as this one we expect to be able 
to refer back to earlier posts for context, to see what someone was 
saying; when you insist on placing your words where they cannot be so 
conveniently archived, you break those expectations. I urge you to 
reconsider whether you are going to post your words to the list like 
everyone else here, or merely notify us that you have spoken and ask 
us to visit your blog so we can hear you.

>1) As a user you don't have to learn anything new. You just continue 
>to use your email addresses to log in anywhere like you almost 
>always did.

That's an awfully big "almost", there.

I may have just taken a while to stumble across the kind of site that 
required users to log in with their E-mail address as the username, 
but I'm having trouble recalling *any* site from "way back when" that 
did so. In fact, it seems like a fairly recent change. Part of this 
could be that I avoid like the plague sites that don't respect their 
user's privacy, but this little seems like a *basic* idea, to me - 
one easily apprehensible by even the companies that planned on 
selling their user's personal data - if those users are going to be 
sending some data over the wires every time they log in, *don't* make 
it trivial for anyone with a packet sniffer to learn their address.

>If the authenticated OpenEmailID is an existing account thats the 
>users account.

We're experiencing a fundamental disconnect here about the meaning of 
"authentication". OpenID conveys a URI which I can look up, and it 
will tell me that this OP does, in fact, have proper authority to 
vouch for the URI's owner(s) - this is all in band. But when you 
involve an E-mail address while expecting to not use the E-mail 
channels, that accountability suddenly vanishes. There *may* (and 
again, I stress this, there will not *necessarily* be) be 
accountability for identical domains - but are you going to tell all 
sites running things differently that they'll need to change their 
dastardly ways if they wish to take advantage of OpenEmailID? Doesn't 
sound very open.

Some of this matters only to the extent that it is "used" - if you 
want me to send mail to your listed address or tell others that this 
is your verified address, we may have problems, but if you just want 
it to show up in your Profile as "this is the string placed in that 
category", akin to "the user chose to list 'Narnia' as their 
Location, we do not screen these strings to ensure the user is even 
lying convincingly", that's fine. Warnings can be posted to make it 
clear to (other) users that they should *not* rely on that 
information to be accurate.

>If it does not exist it is a new account and Facebook can skip the 
>email verification process, an obvious advantage.

It could be I'm just dense, but maybe that "advantage" isn't so 
obvious after all. Care to elaborate on how adding an E-mail address 
to a new account, and not verifying it, is different from, say, 
adding a new account and not bothering with the E-mail address yet?

>He can create a Google account with his own Email address.

So you *do* consider it acceptable for OP's to use Directed Identity 
with addresses that do not share their domain?

>And the web site should encourage the user to create an account at 
>one of these sites.

And the web site should keep track of how many users *do* create an 
account at any of those providers, then approach the large providers 
after the referral count has gotten high enough to be worthwhile, 
demanding a kickback for all those endorsements.

Hold on. *tears off Federation hat* Sorry, seeing those two Providers 
mentioned by name and given a prominent position in so many of your 
examples has been tickling my Advertising sense.

>All this can be done very easily, because there is nothing new to 
>implement or invent here.

Kind of like using Redirect in the browser ;)

>We can very easily achieve the objective of a single sign on. One 
>email one password. One OpenEmailID!

*blinks* Suddenly, this makes perfect sense.

Every time the user wants to log in, the RP will send them an E-mail 
at their address. Not just "during account creation", for 
"verification"; no, a temporary URL will be created for them to begin 
their session at, and that URL will be sent to their mailbox. One 
email, one password (to check their account), one mailbox, one 
OpenEmailID!

-Shade