[OpenID] Setting an OP by user's E-mail address

[SitG Admin]

We have URL's pointing at pages with OpenID headers; those are URI's. 
We have E-mail addresses from which we're supposed to extract the 
domain, then go there and *hope* the provider has linked to an XRD 
file with more information, plus all the privacy concerns associated 
with that approach. I'd like to propose a third, if more awkward, 
method.

Per each RP, when the user first types in their address, the RP sends 
them an E-mail. In this message are two links: the first confirms 
their initial authentication (during which they may enter a setup 
mode to specify their OP - sadly, no autodiscovery here), and the 
second is to be used *only* for requesting another E-mail for 
purposes of resetting their OP.

The results of that first setup can be trusted nigh indefinitely, 
since the user has proven (directly to the RP) their ability to 
receive E-mail at that address, and ownership of *those* doesn't 
frequently change hands. Just accessing that message (or using the 
second URL) won't help attackers, though, because they also need to 
be able to receive messages that are being sent *now*, when the 
second link is activated - the first link is once-only (this is not a 
problem, since the second can be used to request another if needed).

-Shade