<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>(The full story is posted at <a
href="http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html">http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html</a>
but this contains the technical parts of the post).<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>This proposal adds Email Discovery allowing users to use
their email address as an OpenID.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>…<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>We need to map between the email to the OpenID identifier
and this is where DNS comes in. DNS already has a system for resolving email
addresses into an actual server – email resolution using an MX record.
Why not add a new record type for OpenID. Basically another way to perform
OpenID discovery that is all about making it user-friendly.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>All that is needed is a URL the site performing discovery can
append the email to and treat it as an OpenID identifier. This can be done
using a OpenID TXT record: ‘OpenID [username rule] [priority]
[URL]’ where [username rule] is a wildcard expression used to match the
username part of the email (everything up to the ‘@’), [priority]
is the MX-like priority value, and [URL] is the URL used to generate the OpenID
identifier. The URL uses ‘*’ to indicate where the username is
inserted, and ‘**’ to indicate where the full, URL-encoded, email
address is inserted (both optional). For example:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>example.com TXT ‘OpenID * 10
http://*.example.com/’<o:p></o:p></p>
<p class=MsoNormal>example.com TXT ‘OpenID joe 10
http://example.org/openid?**’<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Which reads: for any email address
‘@example.com’ other than ‘joe’ use
‘http://username.example.com/’ as the OpenID identifier. For email
address ‘joe@example.com’ use
‘http://example.org/openid?joe%40example.com’ as the OpenID
identifier. Rules are processed first based on the username rule match (in
order of match closeness) and then on priority which is used in the same manner
as MX records priority.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>…<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>There are many ways to implement identity delegation, but in
the context of email identifiers and simplifying the user experience, the idea
is to move the delegation mapping to the OpenID provider. When users sign-up
for a new OpenID, they will be given the option, perhaps as a premium paid
service, to make the OpenID provider map incoming identity checks for the user
email address with their local OpenID identifier. So instead of the users
telling the site about their local identity (using delegation), the OpenID
provider will perform the mapping.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>In the above example, ‘joe@example.com’ has his
OpenID managed by ‘example.org’. When signing up for an OpenID at
‘example.org’, Joe asked it to accept identity requests for
‘joe@example.com’ or at least provide delegation discovery. When
Joe tries to log into an OpenID-enabled site using
‘joe@example.com’, the site convert the email address to the URL
‘http://example.org/openid?joe%40example.com’ and use it like a
regular OpenID identifier. ‘example.org’ will reply with the needed
discovery information to get Joe authenticated using the OpenID protocol. By
using the ‘**’ symbol, the full email address is sent over to the
OpenID provider which can perform mapping of identities other than its own
local ones.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>This can be viewed as hosted delegated identity where the
OpenID provider also provides hosting of the OpenID delegation information for
the user. It doesn’t require any new standards except for implementation
and support by OpenID providers.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>---<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Would love to get some feedback.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>EHL<o:p></o:p></p>
</div>
</body>
</html>