OpenID Email Discovery
Trevor Johns
trevor at tjohns.net
Fri Jan 4 17:29:52 UTC 2008
On Jan 4, 2008, at 3:14 AM, Artur Bergman wrote:
> You can always go out and use DNSSEC.
That would certainly be a solution. However, isn't DNSSEC not yet
widely deployed?
> Isn't this just a lookup of email address -> openid/url that is then
> handled as a normal openid login?
I'm not sure I understand your question. But yes, based on my
understanding that's basically correct.
What I was discussing was whether the email address -> URL phase is
treated as delegation (in which case the email address is used as the
user's claimed identifier) or as a redirect (in which case, the URL
will be used as the user's claimed identifier).
The first case (email address is the claimed identifier) is definitely
preferable. However, like traditional OpenID delegation, care must be
taken to make sure that a malicious user isn't able to modify the
delegation pointer.
--
Trevor Johns
http://tjohns.net
More information about the specs
mailing list