+1.<br><br><div class="gmail_quote">On Thu, Oct 30, 2008 at 1:10 PM, Chris Messina <span dir="ltr"><<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Thu, Oct 30, 2008 at 11:37 PM, Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>> wrote:<br>
> I'm surprised no one has brought this up, but remember that having people<br>
> log into RPs using their email address is giving away a very personal bit of<br>
> information that I'd like to hide more than give away. On another thread<br>
> concern was expressed over allowing OpenID to accidentally reveal the<br>
> preferred language of a user. Well to me I think email address is far more<br>
> concerning.<br>
<br>
</div>This has been brought up. Points to consider:<br>
<br>
1. you would still be able to use a URL-based identifier even if email<br>
addresses were permissible OpenID identifiers.<br>
2. the spec would not force anyone to use an email address as their identifier<br>
3. as I've stated repeatedly, many RPs require a valid email to<br>
proceed with sign up anyway, something I call "OpenID double<br>
registration taxation"<br>
4. It's up to your OP to offer information beyond the claimed<br>
identifier. That doesn't mean that an RP won't require more<br>
information (i.e. agreeing to a TOS, providing a birthdate) to proceed<br>
5. a vast majority of people online identify themselves to services<br>
with their email addresses and are accustomed to typing their email<br>
address into sign in boxes. I have video of someone trying to sign in<br>
to Basecamp with their Yahoo OpenID -- the first thing they did was<br>
enter their email address, which, at the time, failed (Basecamp only<br>
supports OpenID 1.0).<br>
6. There's really no reason to prohibit those who would *choose* to<br>
use their email address as their identifier from doing so. You may<br>
choose not to; someone else might feel that the convenience is worth<br>
trading away a piece of personal data.<br>
7. email addresses are in wide and common use in account systems<br>
already. Forcing RPs to move immediately to identifying people by URLs<br>
seems like a steep and painful adoption curve.<br>
<br>
Bottom line: enabling email addresses as OpenIDs doesn't change the<br>
situation for people who want to use URLs as their identifiers. It<br>
enables a more convenient way to make use of the protocol and reduces<br>
the need for creating new passwords with RPs.<br>
<div class="Ih2E3d"><br>
<br>
> Of course an RP may want an email address and AX or SREG is a great way to<br>
> get it, but that's always the user's decision while at the OP or later at<br>
> the RP, and isn't a mandatory step to even initiate the login process.<br>
<br>
</div>And again, it wouldn't change with the proposed change.<br>
<font color="#888888"><br>
Chris<br>
</font><div><div></div><div class="Wj3C7c"><br>
<br>
> On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie <<a href="mailto:benl@google.com">benl@google.com</a>> wrote:<br>
>><br>
>> On Thu, Oct 30, 2008 at 7:07 AM, Chris Messina <<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>><br>
>> wrote:<br>
>> > On Thu, Oct 30, 2008 at 4:14 PM, David Recordon <<a href="mailto:drecordon@sixapart.com">drecordon@sixapart.com</a>><br>
>> > wrote:<br>
>> >> Can you use POBox.com with <a href="mailto:david@yahoo.com">david@yahoo.com</a>? For the added complexity I<br>
>> >> just<br>
>> >> don't think it's worth it considering you already can't delegate your<br>
>> >> email.<br>
>> >> If you control the domain then you can choose your Provider, otherwise<br>
>> >> you're at the mercy of who controls the domain. Don't like it, then<br>
>> >> don't<br>
>> >> use your Yahoo account as your OpenID. IMHO.<br>
>> >> --David<br>
>> ><br>
>> > I'm coming around to this perspective.<br>
>> ><br>
>> > While maximal flexibility would be ideal for "delegating email<br>
>> > addresses", I'm willing to compromise to find the simplest, easiest,<br>
>> > quickest and least costliest path to adoption.<br>
>> ><br>
>> > While the mapping concept is a worthwhile one technologically, I think<br>
>> > that trying to push all the freedoms that you get with URL-based<br>
>> > OpenIDs into email addresses could be a losing proposition.<br>
>> ><br>
>> > If we can support email addresses with maximal flexibility with<br>
>> > minimal costs, great, but from what I've seen of how changes actually<br>
>> > get made, changing the OpenID spec as little as possible is the best<br>
>> > way forward.<br>
>> ><br>
>> > It sounds like the OpenID.identity approach might be the best way to<br>
>> > make this happen, pronto, without mucking with DNS and so on.<br>
>><br>
>> What is "the OpenID.identity approach"?<br>
>><br>
>> > Remember, email addresses today aren't really explicitly supported by<br>
>> > the spec; the goal should be to make that a possibility with as little<br>
>> > effort as possible.<br>
>><br>
>> It seems to me that there's a couple of things to consider:<br>
>><br>
>> 1. Often the RP actually wants an email address, because it wants to<br>
>> be able to communicate with the user. This can be solved with AX, of<br>
>> course _but_ I suspect users will be confused by having to give an<br>
>> "email address" that isn't actually their email address.<br>
>><br>
>> 2. It seems that its possible to do a pretty good job with just the<br>
>> domain - the email address is just a way to get the user to tell you<br>
>> what the domain is so discovery can start.<br>
>><br>
>> Obviously discovery is a prerequisite, though.<br>
>><br>
>> ><br>
>> > Chris<br>
>> ><br>
>> > --<br>
>> > Chris Messina<br>
>> > Citizen-Participant &<br>
>> > Open Technology Advocate-at-Large<br>
>> > <a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> # <a href="http://diso-project.org" target="_blank">diso-project.org</a><br>
>> > <a href="http://citizenagency.com" target="_blank">citizenagency.com</a> # <a href="http://vidoop.com" target="_blank">vidoop.com</a><br>
>> > This email is: [ ] bloggable [X] ask first [ ] private<br>
>> > _______________________________________________<br>
>> > general mailing list<br>
>> > <a href="mailto:general@openid.net">general@openid.net</a><br>
>> > <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
>> ><br>
>> _______________________________________________<br>
>> general mailing list<br>
>> <a href="mailto:general@openid.net">general@openid.net</a><br>
>> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
<br>
<br>
<br>
</div></div>--<br>
<div><div></div><div class="Wj3C7c">Chris Messina<br>
Citizen-Participant &<br>
Open Technology Advocate-at-Large<br>
<a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> # <a href="http://diso-project.org" target="_blank">diso-project.org</a><br>
<a href="http://citizenagency.com" target="_blank">citizenagency.com</a> # <a href="http://vidoop.com" target="_blank">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>