Mozilla BrowserID
Nat Sakimura
sakimura at gmail.com
Tue Jul 19 05:02:26 UTC 2011
One of my concern around BrowserID is that it does not seem to take care of
the email address recycling.
Email address verification "certificate" may be short lived but it does not
solve the impersonation problem at all.
There has to be some ways of canonicalizing email address into a
non-re-assignable identifier.
Otherwise we are screwed and BrowserID spec does not yet provide the
solution.
As a conceptual solution, BrowserID is interesting if the browsers
implements it and if we can get rid of BrowserID.org.
I would like to see more work towards. it.
=nat
On Tue, Jul 19, 2011 at 1:05 PM, Allen Tom <allentomdude at gmail.com> wrote:
> Yeah, I totally agree - I was referring to a hypothetical protocol that's
> similar to OpenID Connect, but uses email addresses as the true identifier.
>
> I don't see how BrowserID would be better than a version of OpenID Connect
> that only uses email addresses as the one true identifier.
>
> Allen
>
>
>
> On Mon, Jul 18, 2011 at 8:51 PM, Phillip Hallam-Baker <hallam at gmail.com>wrote:
>
>> There is an advantage to throwing out the bad identifiers, It allows the
>> user interface to be made a lot simpler as anything not an email address is
>> wrong.
>>
>> No URLs, no XRIs.
>>
>>
>> As for what to do if the email provider does not provide BrowserID, I
>> don't think it is a problem, I would probably separate the accounts in any
>> case.
>>
>>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20110719/3be8cfc2/attachment.html>
More information about the specs
mailing list