Santrajan,<div><br></div><div>It sounds like you're missing some important issues around OpenID security, and I suggest you take a more humble (ask questions rather than make assumptions and accusations) attitude about it and you'll understand what everyone else on this list seems to but you. Either the whole list of intelligent people is crazy, or you're missing something. Let me see if I can help explain to you what I think it is that you're missing.</div>
<div><br></div><div>First of all, your argument that without a verified email address, an OpenID authentication is worthless... Here are some reasons I and others on this list might disagree with your hypothesis:</div><div>
<ol><li>One of the laws of identity are that you can visit a web site, repeatedly, and have the site be sure you are the same person as the last time you visited, yet have no idea who you actually are. Forcing an email address would violate this law. Note I did <i>not</i> say a user MUST be able to visit that web site. But a web site that has no need for an email address shouldn't demand one of the user. Your assertion that "any site worth its salt" should require an email address is a huge and naive assumption. Sorry. There are worthwhile sites out there that don't need, and have no business knowing, their users' email addresses.</li>
<li>You say that a site that needs a verified email address cannot use OpenID. Why not? You have to back that up! A site that needs to verify an email address is not obstructed from verifying an email address simply because it uses OpenID. Without OpenID, a site establishes a new username and password with a new user, asks for an email address, makes the user go through the verification loop, and the account is ready. With OpenID, the user logs in with their OpenID, the site asks for the email address, the user goes through the verification loop, and the account is ready. Is there added value here? Absolutely! The user doesn't have to remember another username and password! </li>
<li>Now suppose OpenID did provide an email address (which in fact it does through broadly-supported extensions at many OPs and RPs). How does an RP trust that the OP gave an email address that was verified? The <i>only</i> way an RP can trust the OP would be for a trust relationship of some kind to exist. In essence, a white list. An RP must have a list that says that if the OpenID assertion came from one of these OPs, then the email they provide can be trusted to have already been verified. OpenID can never evolve to remove this restriction because if you don't trust a user to provide a valid email address (and therefore must verify it), then you can equally not trust a web site hosted by some random unknown user that says that it verified it for you. And if you must have a white list of trusted OPs, then the whole system that you demand must exist already does. Choose your Providers that send email addresses and verifies them with their users, and make your RP only accept OpenID authentication from those few. Better yet, accept authentication from any OP, and skip the email verification step when the user comes from one of those trusted OPs and it provides their email address. This is a win for your users when they qualify themselves by picking a trusted OP.</li>
<li>With regard to your "OpenID hasn't gone anywhere". I'm laughing. If Microsoft, Yahoo and Google picking up support for a technology doesn't indicate it is going somewhere, then I don't know what does. Sure there is a lot of progress to be made still in getting sites to become RPs, but there are actually more than you may realize already. If a site accepts a Google or Yahoo login today, it may be using OpenID under the covers even if it doesn't advertise to the user that it is doing so. There are some large and very useful sites that are OpenID RPs that many people use. </li>
</ol><div>I hope this helps you understand, but if not then that's all I'm going to say on this thread anyway.</div><div><br></div></div><div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">2009/3/30 santrajan <span dir="ltr"><<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
<br>
<br>
Eddy Nigg (StartCom Ltd.) wrote:<br>
><br>
><br>
> Why does anyone want to have the email address verified when receiving<br>
> an assertion about the authentication from the OpenID provider? This is<br>
> beyond me...<br>
><br>
><br>
<br>
</div>Thats exactly the point I am making. If the email does not come with the<br>
assertion about the authentication, a site that needs the email address to<br>
provide a service to the user will not be able to use OpenID.<br>
<font color="#888888">--<br>
View this message in context: <a href="http://www.nabble.com/Re%3A-The-Various-Methods-For-%22user%40domain.com%22-Style-Identifiers-tp22651519p22779696.html" target="_blank">http://www.nabble.com/Re%3A-The-Various-Methods-For-%22user%40domain.com%22-Style-Identifiers-tp22651519p22779696.html</a><br>
</font><div><div></div><div class="h5">Sent from the OpenID - General mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>