On Thu, Oct 30, 2008 at 5:43 PM, Martin Atkins <span dir="ltr"><<a href="mailto:martin@atkins.me.uk">martin@atkins.me.uk</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
David Fuelling wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
So my grandma has a <a href="http://yahoo.com" target="_blank">yahoo.com</a> <<a href="http://yahoo.com" target="_blank">http://yahoo.com</a>> email address (she doesn't really, but for the sake of illustration). She types '<a href="mailto:grandma@yahoo.com" target="_blank">grandma@yahoo.com</a> <mailto:<a href="mailto:grandma@yahoo.com" target="_blank">grandma@yahoo.com</a>>' into an RP, and in 2008, she'll use Yahoo.com as her OP. But in 2009 (hypothetically), Yahoo introduces the ability to "link" your email address to any OpenID of your choosing. They setup a control panel to facilitate this, etc. My grandma, being not that sophisticated, will likely continue using Yahoo. But me -- I'll be able to now link my <a href="http://yahoo.com" target="_blank">yahoo.com</a> <<a href="http://yahoo.com" target="_blank">http://yahoo.com</a>> email address to my <a href="http://sappenin.com" target="_blank">sappenin.com</a> <<a href="http://sappenin.com" target="_blank">http://sappenin.com</a>> OpenID. In 2012 (assume my grandma is kind of young), I go over to her house and say, "Grandma, did you know that if you start using Google.com as your Identity Provider, they'll pay you $1 every time you login to a site, because they're Google and they can do that sort of thing?". My grandma will say something like, "Wow, I use the computer a lot, and that will subsidize my social security -- Thanks Google!". And oh, by the way, since it's 2012, Google has an automated system to do all of this for my Grandma, so she doesn't even need my help to let Google subsidize her social security. She simply switches over her OpenID email mapping/Delegation information.....but retains her email yahoo email address as her "login mechanism".<br>
<br>
</blockquote>
<br>
Of course, as soon as you change the URL underlying your email address, you effectively become a new user on all RPs where you use that email address.<br>
<br>
This is exactly the sort of confusion I'm thinking of when I say that adding this extra layer of indirection is confusing. I'm still typing in the same email address, so why can't I access my account?<br>
<br>
I think this is one situation where simpler is better. If there's only one identifier in play then you know where you stand.<br>
<br>
<br>
</blockquote></div><br>A good RP would track both the email address and corresponding OpenID, and would notice that a user is trying to login with a familiar email, but a different OpenID URL. Email Verification could simply re-correspond the user to the new OpenID, and Voila -- I have my same account, and I (the user) didn't even know anything happened because it was all done automagically.<br>
<br><br>