Account recovery

Sabari Devadoss sabari_d at
Thu Jan 22 23:38:26 UTC 2009

Yes, I should clarify my comment.  Our (Yahoo!) current test implementation of sreg actually passes the actual Yahoo! email address of the user.   The benefit of passing the Yahoo! email address associated with the Yahoo! OpenID identifier is that it alleviates the need by the RP to require an additional step for the verification of the email address which they receive as part of sreg.  Obviously this only works when the OP is also the actual email provider of the email being forwarded.  I understand that sreg doesn't specifically call out if the email address is verified or not and I agree that having a new attribute for verified email as part of A/X 2.0 is a great idea.  


Date: Thu, 22 Jan 2009 12:22:28 -0500
From: George Fletcher <gffletch at>
Subject: Re: Account recovery
To: OpenID user experience <user-experience at>
Message-ID: <4978AB54.9000109 at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Very cool. Maybe I mis-understood Sabari's email, but I got the 
impression that Yahoo! was testing support for verified email in the 
SREG protocol and so I was wondering how that's being done. If there is 
a simple extension to use until AX 2.0 is out and we've (AOL) upgraded 
to AX from SREG, then I'm interested even if it's not 100% official.


Breno de Medeiros wrote:
> On Thu, Jan 22, 2009 at 5:25 AM, George Fletcher <gffletch at 
> <mailto:gffletch at>> wrote:
>     Curious as to how you pass the verified email address using SREG
>     (since the spec doesn't allow for this). Do you just assume that
>     if the RP asks for the that the RP want's the
>     verified email address and the user has no choice about supplying
>     a different email address?
>     I know for me, that depending on the site I'm logging into with my
>     OpenID, I might not want to use the verified email address
>     attached to the OpenID. I tend to use different email addresses
>     for different purposes, and forcing me to use the verified email
>     address on my OpenID would "pollute" that separation I'm trying to
>     maintain:)
>     That said, I'm all for supporting verified email in SREG, I think
>     we just need an extension so that the RP can specify specifically
>     whether it wants a user selected email address? or the OP verified
>     email address for the user.
> That's hopefully coming in AX 2.0.
>     Thanks,
>     George
>     Sabari Devadoss wrote:
>             Perhaps email is something that you have to have in order
>             to sign up
>             and access sites, but I'm not sure, again, that that's
>             true for all
>             audiences. I think more research is necessary in this
>             area, and in
>             specific applications.
>             Chris
>         If the OP passes a verified email address via sreg or A/X then
>         the RP can store this information and use it for AR purposes
>         in cases where the user has forgotten the identifier used to
>         log into the RP.  One caveat is that the email being passed by
>         the OP should be a verified email address.   As part of the
>         sreg testing currently underway at Yahoo! we pass the Yahoo!
>         email address attached to the identifier which requires no
>         additional email verification step on the RP's part.  
>         _______________________________________________
>         user-experience mailing list
>        user-experience at <mailto:user-experience at>
>     _______________________________________________
>     user-experience mailing list
>    user-experience at <mailto:user-experience at>
> -- 
> --Breno
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> ------------------------------------------------------------------------
> _______________________________________________
> user-experience mailing list
> user-experience at

More information about the user-experience mailing list