[OpenID] Proposal for email address in URL path as a valid OpenID

[SitG Admin]

>Additionally, while username@ is allowed before the domain, the @ 
>character is not allowed as part of the URL path.

But it automatically gets translated (into %##) if necessary, right? 
I've seen websites accept the '@' symbol when submitted as form input 
through GET; even when the URL is a blind request from no previous 
page or previously established session.

Doing this seems easier than telling users to type in their E-mail 
address, except with a different symbol suddenly being substituted 
for '@'.

As for the trust issues - I don't like the idea of RP's sending fake 
"users" to large SP's, asking for the XRD file corresponding to a 
given address, and learning from the response (or lack thereof) 
whether the E-mail address in question *existed*. But without that, 
how would SP's know whether to forward the "user" to the OP 
associated with that address? (Assume non-webmail SP's, where the 
existing authentication is not saved in form traditional browsers 
would understand.)

I have a vague idea of security through burying RP's in an avalanche 
of needles (naming various OP's for nonexistent addresses, in 
proportions drawn from real users, not worrying about "users" who 
weren't real in the first place trying to authenticate with an OP 
they had no account at), but it doesn't fail gracefully for ordinary 
users who make a typo on their address, and the proportions would 
enable RP's to map out demographics for that SP's users without even 
knowing any real addresses, and the data would probably have to stay 
consistent from request to request to be believable, requiring 
obscene data storage capabilities at the SP.

-Shade