<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: [PROPOSAL] Handle "user@example.com" For Discovery Only</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>I guess I shouldn't have said <A HREF="http://user@example.com">http://user@example.com</A>.<BR>
<BR>
All that is being suggested is the following language (on my Treo):<BR>
If a string in the format of "user@example.com" at a RP, the RP MUST treat the domain after "@" as the IdP Identifier. The protocol continues down the normal directed identity flow.<BR>
<BR>
--David<BR>
<BR>
-----Original Message-----<BR>
From: Johannes Ernst [<A HREF="mailto:jernst+openid.net@netmesh.us">mailto:jernst+openid.net@netmesh.us</A>]<BR>
Sent: Friday, October 20, 2006 02:07 PM Pacific Standard Time<BR>
To: specs@openid.net<BR>
Subject: Re: [PROPOSAL] Handle "<A HREF="http://user@example.com">http://user@example.com</A>" Style Identifiers<BR>
<BR>
We actually built some code some time ago to explore this. The basic <BR>
insight was:<BR>
<BR>
if we can do Yadis discovery on XRIs (which aren't rooted in DNS), <BR>
then we can do Yadis discovery on any other kind of identifier, <BR>
whether it's an e-mail address or an ISBN number or what have you -- <BR>
and once we have a Yadis file for a given identifier, we are home <BR>
free because it essentially maps that identifier into HTTP. We <BR>
considered three or four different ways of doing Yadis resolution <BR>
from e-mail addresses and the like, including the <A HREF="http://">http://</A><BR>
user@example.com/ idea that David mentions; under the hood they are <BR>
different, but what the user sees is the same.<BR>
<BR>
Usability is the key problem here:<BR>
- we confuse the user because suddenly it's not URL-based identity <BR>
any more<BR>
- we confuse the user because users aren't clickable any more <BR>
(except for a mailto: tag, which is confusing in its own right it <BR>
most identities pop up a blog or home page)<BR>
- we confuse the user because if I type the identifier into by <BR>
browser's address bar, it pops up a phishing warning (!) instead of <BR>
the user's home page.<BR>
<BR>
We decided that for the time being, it was going to be much easier to <BR>
educate users on the need to use URLs as identifiers, than to educate <BR>
users to not be confused by the above behaviors.<BR>
<BR>
The situation would change if, say, Mozilla and MSFT were performing <BR>
Yadis discovery on e-mail-style identifiers, and directed the user to <BR>
their (http) home page from a given e-mail address. Not impossible to <BR>
imagine, but certainly not something to expect any century from now.<BR>
<BR>
<BR>
On Oct 20, 2006, at 13:44, Jonathan Daugherty wrote:<BR>
<BR>
> # I'm not actually proposing the IdP make an assertion about<BR>
> # user@example.com. It would only be used during the discovery phase<BR>
> # and then an assertion for a URL be returned.<BR>
><BR>
> Ok, I misunderstood. But even in the case where the IdP makes an<BR>
> assertion about a different identifier, that's confusing, too; you<BR>
> enter something that looks like an email (and maybe your provider<BR>
> tells you it even is), but you log into the site as something else,<BR>
> right?<BR>
><BR>
> --<BR>
> Jonathan Daugherty<BR>
> JanRain, Inc.<BR>
> _______________________________________________<BR>
> specs mailing list<BR>
> specs@openid.net<BR>
> <A HREF="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</A><BR>
<BR>
Johannes Ernst<BR>
NetMesh Inc.<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>