Using email address as OpenID identifier

Joseph Holsten joseph at josephholsten.com
Fri Apr 11 22:20:58 UTC 2008 

I really wish everyone would stop calling these identifiers "email
addresses." They're no more email addresses than xmpp: uris.

You aren't going to change the email standards. You will not forcibly
require email servers to recognize xrds discovery. All you're going to
get is an identifier that looks something like an email.

You may as well say that you're using jabber addresses as openids. I'm
going to stop saying you're actually speaking of XRDS document
discovery, since that seems to be over everyones head. I'm going to
stop saying the openid list isn't the place for this, since we defer
endpoint discovery to XRI discover 2.0, though we may switch to
XRDS-Simple. But seriously, get off this list.

But for goodness sakes, could you stop calling them email addresses?
They're just email-looking urls, nothing more.Unless you guys are so
crazy as to have a line like "XRDS discovery MUST verify that the
identifier accepts email," you're just not talking about email.

Respectfully and with far to much sarcasm,
http:// Joseph Holsten .com

On Fri, Apr 11, 2008 at 7:38 AM, Peter Davis <peter.davis at neustar.biz> wrote:
> this discussion, of course, has happened before:
>
> http://openid.net/pipermail/specs/2008-January/002104.html
>
> And paul is correct, IMHO... NAPTR is a better and more flexible way
> to address this.  The original proposal had regex expressions in TXT
> RRs.  which, while not improper, does not have a resolver code base
> to draw from, and some well-laid groundwork for regex processing
> libraries for resolvers to use.
>
> on the other hand, i've never want to use my email address as my
> openID, and you'd have to write a new profile which allowed the OP/RP
> to understand i can prove ownership of the identifier.
>
> =peterd
>
>
> On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
> > James,
> >
> > I don't think we need SRV records to do this.  NAPTR would suffice,
> > as that
> > would allow one to transform one string into another.
> >
> > But, it seems that there is an overwhelming preference for using
> > some kind
> > of string of undetermined structure to identify a user which is not
> > of an
> > e-mail format.  (I know there is an intent to use a URI, but most
> > users have
> > no idea what a URI is and few really type them properly.)
> >
> > So, while I still think the form user at provider is better for the user
> > world-wide community, I understand the counter-arguments.  And,
> > perhaps I'll
> > be proven wrong-- which is OK.
> >
> > Paul
> >
> >> -----Original Message-----
> >> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> >> Behalf Of McGovern, James F (HTSC, IT)
> >> Sent: Monday, April 07, 2008 3:21 PM
> >> To: specs at openid.net
> >> Subject: Using email address as OpenID identifier
> >>
> >> This would require defining an OpenID SRV record in DNS. Would make
> >> sense for someone to get this formally defined as part of IETF. Could
> >> kinda be done in the same way that Boeing is moving forward
> >> definition
> >> of XRI in LDAP..
> >>
> >> -----Original Message-----
> >>
> >> Message: 1
> >> Date: Mon, 07 Apr 2008 18:56:57 +0100
> >> From: Martin Atkins <mart at degeneration.co.uk>
> >> Subject: Re: Using email address as OpenID identifier
> >> To: specs at openid.net
> >> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >>
> >> Paul E. Jones wrote:
> >>>
> >>> Perhaps it is important to say, though, that I do not think it
> >>> requires the e-mail providers to get on board with this (in my view)
> >>> simpler notation.  I could use an ID like paulej at myopenid.com and
> >> that
> >>
> >>> should work, if myopenid.com would publish the appropriate NAPTR
> >>> record.  I could also insert NAPTR records into the packetizer.com
> >> DNS
> >>
> >>> server that would allow me to use my email address, but point at my
> >>> preferred OpenID provider.  In short, just because the user at domain
> >>> syntax is used does not mean that it necessarily an e-mail address:
> >> it
> >>
> >>> could be, but more importantly, it just follows that familiar format
> >> documented in RFC 822.
> >>>
> >>
> >> Funnily enough, I've always percieved the fact that syntactically-
> >> valid
> >> but non-existant email addresses are being used as identifiers as a
> >> problem rather than a benefit:
> >>
> >>   * It creates confusion for users when something looks like an email
> >> address but it doesn't behave as one. I've seen this sort of
> >> confusion
> >> with Jabber servers, where users get confused that their Jabber ID
> >> and
> >> email address are not the same, especially when Jabber clients say
> >> "For
> >> example, user at example.com" under the Jabber ID field.
> >>
> >>   * If not all email-shaped OpenID identifiers are actually working
> >> mailboxes, it's likely to lead to a distressing user experience where
> >> the user is first asked to enter their OpenID identifier -- that is,
> >> their email address -- and then they're asked to enter and verify
> >> their
> >> email address. At this point, I expect users to at best say "Stupid
> >> computer! Remember what I've told you!" and at worst get confused and
> >> think that the OpenID identifier they entered was not correct.
> >>
> >>   * As has often been raised in both the OpenID-with-email and in the
> >> Jabber circles, many people are reluctant to give up their email
> >> addresses to the public eye for fear of spam. Note that Yahoo.com
> >> will,
> >> by default, use a big opaque string as an identifier rather than the
> >> user's Yahoo! account name for this very reason.
> >>
> >>
> >>
> >>
> >> *********************************************************************
> >> **
> >> **
> >> This communication, including attachments, is
> >> for the exclusive use of addressee and may contain proprietary,
> >> confidential and/or privileged information.  If you are not the
> >> intended
> >> recipient, any use, copying, disclosure, dissemination or
> >> distribution
> >> is
> >> strictly prohibited.  If you are not the intended recipient, please
> >> notify
> >> the sender immediately by return e-mail, delete this communication
> >> and
> >> destroy all copies.
> >> *********************************************************************
> >> **
> >> **
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs at openid.net
> >> http://openid.net/mailman/listinfo/specs
> >>
> >
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

More information about the specs mailing list