[PROPOSAL] Handle "user at example.com" For Discovery Only

Recordon, David drecordon at verisign.com
Fri Oct 20 21:23:09 UTC 2006 

I guess I shouldn't have said http://user@example.com.

All that is being suggested is the following language (on my Treo):
If a string in the format of "user at example.com" at a RP, the RP MUST treat the domain after "@" as the IdP Identifier.  The protocol continues down the normal directed identity flow.

--David

 -----Original Message-----
From: 	Johannes Ernst [mailto:jernst+openid.net at netmesh.us]
Sent:	Friday, October 20, 2006 02:07 PM Pacific Standard Time
To:	specs at openid.net
Subject:	Re: [PROPOSAL] Handle "http://user@example.com" Style Identifiers

We actually built some code some time ago to explore this. The basic  
insight was:

if we can do Yadis discovery on XRIs (which aren't rooted in DNS),  
then we can do Yadis discovery on any other kind of identifier,  
whether it's an e-mail address or an ISBN number or what have you --  
and once we have a Yadis file for a given identifier, we are home  
free because it essentially maps that identifier into HTTP. We  
considered three or four different ways of doing Yadis resolution  
from e-mail addresses and the like, including the http:// 
user at example.com/ idea that David mentions; under the hood they are  
different, but what the user sees is the same.

Usability is the key problem here:
  - we confuse the user because suddenly it's not URL-based identity  
any more
  - we confuse the user because users aren't clickable any more  
(except for a mailto: tag, which is confusing in its own right it  
most identities pop up a blog or home page)
  - we confuse the user because if I type the identifier into by  
browser's address bar, it pops up a phishing warning (!) instead of  
the user's home page.

We decided that for the time being, it was going to be much easier to  
educate users on the need to use URLs as identifiers, than to educate  
users to not be confused by the above behaviors.

The situation would change if, say, Mozilla and MSFT were performing  
Yadis discovery on e-mail-style identifiers, and directed the user to  
their (http) home page from a given e-mail address. Not impossible to  
imagine, but certainly not something to expect any century from now.


On Oct 20, 2006, at 13:44, Jonathan Daugherty wrote:

> # I'm not actually proposing the IdP make an assertion about
> # user at example.com.  It would only be used during the discovery phase
> # and then an assertion for a URL be returned.
>
> Ok, I misunderstood.  But even in the case where the IdP makes an
> assertion about a different identifier, that's confusing, too; you
> enter something that looks like an email (and maybe your provider
> tells you it even is), but you log into the site as something else,
> right?
>
> -- 
>   Jonathan Daugherty
>   JanRain, Inc.
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061020/e5316dcd/attachment-0002.htm>

More information about the specs mailing list