OpenID Email Discovery
Artur Bergman
sky at crucially.net
Fri Jan 4 17:57:42 UTC 2008
On Jan 4, 2008, at 6:29 PM, Trevor Johns wrote:
>
>> You can always go out and use DNSSEC.
>
> That would certainly be a solution. However, isn't DNSSEC not yet
> widely deployed?
bingo, the world hasn't seen the need for it
>
>> Isn't this just a lookup of email address -> openid/url that is
>> then handled as a normal openid login?
>
> I'm not sure I understand your question. But yes, based on my
> understanding that's basically correct.
>
> What I was discussing was whether the email address -> URL phase is
> treated as delegation (in which case the email address is used as
> the user's claimed identifier) or as a redirect (in which case, the
> URL will be used as the user's claimed identifier).
>
> The first case (email address is the claimed identifier) is
> definitely preferable. However, like traditional OpenID delegation,
> care must be taken to make sure that a malicious user isn't able to
> modify the delegation pointer.
The identifier should be the URL that you get by looking up the email
address through DNS. Then it is just a convient shortcut and requires
very little extension to existing libraries.
Artur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080104/ebc31872/attachment-0001.htm>
More information about the specs
mailing list