<div class="gmail_quote">On Wed, May 20, 2009 at 7:56 AM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="gmail_quote">2009/5/19 Santosh Rajan <span dir="ltr"><<a href="mailto:santrajan@gmail.com" target="_blank">santrajan@gmail.com</a>></span><div class="im"><br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<br>
That<br>
is why Facebook has not implemented OpenID for sign in and sign up. Because<br>
they cannot without an email address.</blockquote><br></div>Really? You say that sounding like you know. Who have you heard this from? Be careful what you say as if you know. </div></blockquote><div><br></div><div>Indeed. There are other usability issues that must be addressed for OpenID to show up on Facebook's homepage for account sign up for creation. FriendFeed has come the closest so far, and they've resorted to the NASCAR approach (the Google button launches the OpenID/OAuth hybrid flow):</div>
<div><br></div><div><a href="http://www.flickr.com/photos/factoryjoe/3526058220/">http://www.flickr.com/photos/factoryjoe/3526058220/</a></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="gmail_quote">Technically speaking from a general perspective, I would say Facebook could absolutely work without taking a user's email address, however as Shade said perhaps their database schema assumes an email address as a primary identifier. Even so, an OpenID URL with an email address as an attribute would certainly be adaptable by a database schema modeled after that. <br>
</div></blockquote><div><br></div><div>Could work technically, of course, but that's not the issue here, in the least.</div><div><br></div><div>OpenID is a *social* technology and must be implemented beyond what's provided by the spec — that is, in a way that people who have never HEARD OF OpenID can use it. And in a way that doesn't break people's expectations — which is a hard thing to do, considering that the whole point of OpenID is to do exactly that.</div>
<div><br></div><div>I think that over time, if we — as a community — can work with Facebook (and others) to provide tested models and user experiences for making OpenID more useful and understandable by regular folks, we'll see OpenID become more visible. But it's not a technical matter. And it's not about keying databases off of email addresses.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote">
<br>Even if email addresses become a valid OpenID identifier, RPs will still have to perform email verification. It may be an optimized process, or it may be <i>worse</i>. ... If on the other hand RPs choose to trust certain OPs' email attribute assertions, the solution can be applied today and without any special software or behavior on the end user's part. And that's what I'm advocating for.</div>
</blockquote><div><br></div><div>This is something that has come up quite often. Just because you can login with an identifier that LOOKS like and email address doesn't mean that you can receive messages at that address.</div>
<div><br></div><div>For example, <a href="mailto:user@domain.com">user@domain.com</a> might be how I gain FTP access to <a href="http://domain.com">domain.com</a>, as in <a href="mailto:user%3Apassword@domain.com">user:password@domain.com</a>. There may be no <a href="mailto:user@domain.com">user@domain.com</a> email address.</div>
<div><br></div><div><a href="mailto:user@domain.com">user@domain.com</a> may also simply be a Jabber ID, with no capacity to receive email messages.</div><div><br></div><div>I think it's important to separate the form of the identifier from the function — just because it LOOKS like an email address doesn't mean that it is one.</div>
<div><br></div><div>That said, for those cases where we're actually talking about a conventional email address, I think that emails are primarily useful for use in directed identity cases — where you lop off everything before the '@' and use the domain to perform discovery.</div>
<div><br></div><div>We've talked about this for ages and even have a working prototype:</div><div><br></div><div><a href="http://emailtoid.net/">http://emailtoid.net/</a></div></div><br>...and spec:<div><br></div><div>
<a href="http://eaut.org/">http://eaut.org/</a><br clear="all"><br></div><div>and I wrote about this last June, so Santosh, sorry, but you're not the only one advocating for the use of email addresses in OpenID:</div>
<div><br></div><div><a href="http://factoryjoe.com/blog/2008/06/22/announcing-emailtoid-mapping-email-addresses-to-openids/">http://factoryjoe.com/blog/2008/06/22/announcing-emailtoid-mapping-email-addresses-to-openids/</a></div>
<div><br></div><div>...it's really just a matter of making more progress on XRD/LRDD (discovery) — and then pushing forward with OpenID 2.1.</div><div><br></div><div>It'll happen in due time.</div><div><br></div><div>
Chris</div><div><br>-- <br>Chris Messina<br>Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://openid.net">openid.net</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>