Even if you trust that an OP verified an email address in a totally secure way, the fact that an email address was last verified 3 years ago and the email provider is known to recycle email addresses with 1 year lags is an extremely useful bit of information for an RP to know.<br clear="all">
--<br>John Panzer / Google<br><a href="mailto:jpanzer@google.com">jpanzer@google.com</a> / <a href="http://abstractioneer.org">abstractioneer.org</a> / @jpanzer<br><br>
<br><br><div class="gmail_quote">On Tue, Dec 8, 2009 at 10:18 AM, Joseph A Holsten <span dir="ltr"><<a href="mailto:joseph@josephholsten.com">joseph@josephholsten.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I don't mean to troll. I just don't understand why RPs don't just trust the OP's word. Even if this is just a flag to show that Yahoo/JanRain/Google did the verification, aren't they going to have to ignore it when I send it from my OP of ill repute? If they're second guessing the OP based on verified-timestamp and i'm-the-postmaster-i-mean-it, that's at least something, though it'll still need a whitelist of OP that probably don't cheat.<br>
<br>
Am I nuts? Are RPs really saying they don't trust an email assertion from a whitelisted OP without a verified flag? Or that they aren't going to whitelist at all?<br>
<br>
I won't waste anyone's time thinking about SHOULDs, MUSTs or trust considerations then.<br>
--<br><font color="#888888">
j</font><div><div></div><div class="h5"><br>
<br>
On Dec 8, 2009, at 10:16 AM, Brian Kissel wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
+1. As Allen has said before, and many RPs have confirmed, a verified email address with the attributes he's recommending allow RPs to remove a very problematic step in their workflow where the user has to get an email from the RP then click on it to "verify" the address before enabling an account. There are non-trivial registration losses in this workflow when those verification emails go to spam folders or users just forget to click the link. Delivering a verified email let's RPs register a user in real time eliminating this step in the workflow. This gets higher registrations and instantaneous access and gratification to the user.<br>
<br>
Cheers,<br>
<br>
Brian<br>
___________<br>
<br>
Brian Kissel<br>
CEO, JanRain - WebID and Social Publishing for User Engagement<br>
Email: <a href="mailto:bkissel@janrain.com" target="_blank">bkissel@janrain.com</a> Cell: 503.866.4424 Fax: 503.296.5502<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a>] On Behalf Of Joseph A Holsten<br>
Sent: Tuesday, December 08, 2009 1:57 AM<br>
To: Allen Tom<br>
Cc: <a href="mailto:openid-specs@lists.openid.net" target="_blank">openid-specs@lists.openid.net</a><br>
Subject: Re: Yahoo available AX attrs<br>
<br>
I understand the desire to say that the email is verified, but it<br>
strikes me as a bit like the urgent priority field in email. "No email<br>
provided" vs "This is the user's email" vs "This is Really the User's<br>
Email and I Mean It". Unless it means "This is the user's email, I've<br>
done due diligence, and you can hold me legally liable." Everything<br>
else boils down to understanding what the OP means when they make an<br>
assertion.<br>
<br>
If you really want a verified flag/timestamp/zero-knowledge-proof,<br>
perhaps you have a better idea about the interaction flow when things<br>
aren't verified to 100% certainty. Would the OP require the user to<br>
verify their email before allowing them to authenticate? Leave it up<br>
to the RP to verify? What if the OP says they're certain but the RP<br>
doesn't actually trust them? What happens when the OP says they've<br>
verified, but not 100% certain? Do you expect different RPs to make<br>
different decisions in these circumstances? How would they choose?<br>
<br>
I'm assuming we're not talking about RPs that have a significant<br>
legal / medical / financial interest in accurate assertions, because<br>
that's legal liability / consent / know your customer and you'll need<br>
more than a timestamp+i-mean-it for that.<br>
--<br>
j<br>
<br>
On Dec 7, 2009, at 10:36 PM, Allen Tom wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'd recommend using a timestamp indicating when it was last<br>
verified, with a special value to indicate that the OP is also the<br>
email provider and has 100% certainty. (perhaps just setting the<br>
verification time==now is sufficient)<br>
<br>
Allen<br>
<br>
<br>
On 12/7/09 8:29 PM, "Chris Messina" <<a href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sounds like something to add to PoCo... perhaps something as simple<br>
as a "verified" boolean added to email addresses?<br>
<br>
<a href="http://portablecontacts.net/draft-schema.html#anchor4" target="_blank">http://portablecontacts.net/draft-schema.html#anchor4</a><br>
<br>
Chris<br>
<br>
On Mon, Dec 7, 2009 at 8:25 PM, Brian Kissel <<a href="mailto:bkissel@janrain.com" target="_blank">bkissel@janrain.com</a>><br>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
+1 on email address metadata, many RPs definitely want this.<br>
<br>
Cheers,<br>
<br>
Brian<br>
___________<br>
<br>
Brian Kissel<br>
CEO, JanRain - WebID and Social Publishing for User Engagement<br>
Email: <a href="mailto:bkissel@janrain.com" target="_blank">bkissel@janrain.com</a> Cell: 503.866.4424 Fax:<br>
503.296.5502<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a><br>
] On Behalf Of Allen Tom<br>
Sent: Monday, December 07, 2009 7:46 PM<br>
To: Peter Watkins; Chris Obdam; <a href="mailto:openid-specs@lists.openid.net" target="_blank">openid-specs@lists.openid.net</a><br>
Subject: Re: Yahoo available AX attrs<br>
<br>
Oops - I clicked send too early.<br>
<br>
The bad UX with AX is the security warning that most browsers<br>
display when<br>
POSTing a form from HTTPS to HTTP, which is the case when the<br>
Yahoo OP<br>
returns a lot of attributes. AX attribute names are excessively<br>
long, so<br>
it's very likely that using different attribute names for first/<br>
last/middle<br>
name will cause the response to be returned via POST. (2KB is the<br>
cutoff<br>
point)<br>
<br>
With regards to email address - unless we're 100% sure about the<br>
email<br>
address, we'd like to return metadata about the email address.<br>
Specifically,<br>
we'd like to indicate whether or not the email address was<br>
verified, and if<br>
so, when it was verified. This is definitely something that we'd<br>
like to get<br>
in to AX 2.0.<br>
<br>
Allen<br>
<br>
<br>
<br>
On 12/7/09 7:39 PM, "Allen Tom" <<a href="mailto:atom@yahoo-inc.com" target="_blank">atom@yahoo-inc.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It definitely makes sense to use different attributes for<br>
</blockquote>
givennanme/surname<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
so that RPs don't have to parse the string, and a few other RPs<br>
</blockquote>
have also<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
asked for it. Our initial goal for our AX implementation was<br>
</blockquote>
just to match<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
SREG, and SREG only has a single openid.sreg.fullname attribute.<br>
<br>
We'll add support for separate first/last/middle/suffix<br>
</blockquote>
attributes in a<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
followup release - probably early next year. I do hope that<br>
</blockquote>
we're able to<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
standardize the attribute names, and also keep them short and<br>
</blockquote>
compact. If you<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
ask for all our supported attributes, the response will exceed<br>
</blockquote>
2KB, which<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
requires that the response is returned via POST, causing a<br>
</blockquote>
really bad UX.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
With regards to email address - we'd like to be able to return<br>
</blockquote>
metadata about<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
the email address w<br>
<br>
<br>
<br>
On 12/7/09 7:25 AM, "Peter Watkins" <<a href="mailto:peterw@tux.org" target="_blank">peterw@tux.org</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Dec 07, 2009 at 09:16:46AM +0100, Chris Obdam wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Chris (Obdam) - which additional attributes would you like<br>
</blockquote></blockquote></blockquote></blockquote>
to see<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
available? The attributes that we'll be adding early next<br>
</blockquote></blockquote></blockquote></blockquote>
year will include<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yahoo Profile URL and account creation date. A bunch of<br>
</blockquote></blockquote></blockquote></blockquote>
people have asked<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
for Flickr Photos URL and Upcoming Profile URL, so we'll<br>
</blockquote></blockquote></blockquote></blockquote>
probably get<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
around<br>
to adding those too.<br>
</blockquote>
I would like to access every attr specified in de AXschema? :-)<br>
<br>
In my Yahoo profile i have provided my address (home and<br>
</blockquote></blockquote></blockquote>
work). I would like<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
to use those in a sign form somewhere else.<br>
Same goes for my phone numbers.<br>
</blockquote>
<br>
So would I. One of the simpler goals of our Single Sign On is<br>
</blockquote></blockquote>
prepopulating<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
form fields; having postal address and phone number would be a<br>
</blockquote></blockquote>
help.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I'd also like to see First and Last names available as separate<br>
</blockquote></blockquote>
attributes,<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
otherwise we're trying to intelligently split both "Mary Jane<br>
</blockquote></blockquote>
Parker" and<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
"Malcom Mac Murray".<br>
<br>
Also I would prefer that you give us the user's *primary* email<br>
</blockquote></blockquote>
address. In<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
my Yahoo profile, my Yahoo email address is flagged as "Share<br>
</blockquote></blockquote>
with no one"<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
and I have a different email address flagged as primary, but<br>
</blockquote></blockquote>
your AX sends<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
my yahoo email address. That's bad from usability in part<br>
</blockquote></blockquote>
because I very,<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
very seldom check my Yahoo email inbox.<br>
<br>
The Yahoo website attribute would also be nice to have; as we<br>
</blockquote></blockquote>
start<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
building more "social" features on our sites, it would be nice<br>
</blockquote></blockquote>
to make<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
it easier for our users to share links to their primary web<br>
</blockquote></blockquote>
presences,<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
although I can understand if Yahoo management prefers to only<br>
</blockquote></blockquote>
expose the<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Profile URL for business reasons.<br>
<br>
Thanks,<br>
<br>
Peter<br>
<br>
</blockquote></blockquote>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote>
<br>
<br>
</blockquote>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br>