<div class="gmail_quote">On Tue, Oct 21, 2008 at 7:28 PM, Allen Tom <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d">Martin Atkins wrote:<br>
> I think it'd be pretty confusing and non-obvious if I typed in<br>
> <a href="mailto:something@example.com">something@example.com</a> but, because of an existing session, I actually<br>
> ended up claiming <a href="mailto:somethingelse@example.com">somethingelse@example.com</a>. This could arise for a<br>
> number of reasons, including but not limited to a given person having<br>
> several email accounts or several users sharing the same computer who<br>
> have not yet discovered the wonders of separate local user accounts.<br>
><br>
> We should never ignore any part of what the user enters. If they just<br>
> enter their OP's domain, then the above is fine.<br>
><br>
</div>+1<br>
If the purpose is to verify a user's email address, then the user should<br>
have typed in the correct email address to be verified, and the email<br>
returned in the assertion should match the email address in the request.<br></blockquote></div><div><br></div>-1<div><br></div><div>I'm against the notion of verifying email addresses with OpenID.</div><div><br></div>
<div>I think email addresses used as identifiers are at best hints that resolve to a typical http/https URL. </div><div><br></div><div>Setting the expectation that OpenID can be used to verify a specific email address seems fraught with disaster, since I would think that the expectation of a "verified email address" would be that the owner of such an address would be able to receive emails with it. Email in OpenID should be primarily for hinting at where a user's OP lives on the web; if it happens that the email identifier provided results in a matching returned email address (via SREG, AX or PoCo), you can consider it coincidence.</div>
<div><br></div><div>I'm a proponent of emails-as-identifiers insomuch as it means that OpenID will be significantly more palatable for users who are accustomed to identifying themselves to sites as an email address. Expanding the scope to email verification seems bound to failure in the wild.<br clear="all">
<br></div><div>Chris</div><div><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Technology Advocate-at-Large<br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>