Account recovery

George Fletcher gffletch at
Thu Jan 22 13:25:16 UTC 2009

Curious as to how you pass the verified email address using SREG (since 
the spec doesn't allow for this). Do you just assume that if the RP asks 
for the that the RP want's the verified email address 
and the user has no choice about supplying a different email address?

I know for me, that depending on the site I'm logging into with my 
OpenID, I might not want to use the verified email address attached to 
the OpenID. I tend to use different email addresses for different 
purposes, and forcing me to use the verified email address on my OpenID 
would "pollute" that separation I'm trying to maintain:)

That said, I'm all for supporting verified email in SREG, I think we 
just need an extension so that the RP can specify specifically whether 
it wants a user selected email address? or the OP verified email address 
for the user.


Sabari Devadoss wrote:
>> Perhaps email is something that you have to have in order to sign up
>> and access sites, but I'm not sure, again, that that's true for all
>> audiences. I think more research is necessary in this area, and in
>> specific applications.
>> Chris
> If the OP passes a verified email address via sreg or A/X then the RP can store this information and use it for AR purposes in cases where the user has forgotten the identifier used to log into the RP.  One caveat is that the email being passed by the OP should be a verified email address.   As part of the sreg testing currently underway at Yahoo! we pass the Yahoo! email address attached to the identifier which requires no additional email verification step on the RP's part.  
> _______________________________________________
> user-experience mailing list
> user-experience at

More information about the user-experience mailing list