Account recovery

Chris Messina chris.messina at gmail.com
Thu Jan 22 23:53:57 UTC 2009


Yeah, this is something that would need to be done as an extension to SREG.
I think it certainly has value -- and I'm curious whether RPs would trust an
OP assertion about whether an email address is actually valid... for
example, I'd think it'd be important to know WHEN it was last validated --
two years ago? Last week? I know on many mailing lists I manage, lots of
email addresses eventually bounce -- and the user never unsubscribes or
anything. And of course, different OPs may have different policies when it
comes to verifying an email address -- so the RP might as well go ahead and
do independent verification (hella annoying for the user!).

This is inline with why I think both email-style identifiers is critical in
OpenID 2.1 -- as well as formalizing some kind of message-sending API over
OpenID. The reality is, RPs want and need to send messages to users -- OPs
should facilitate that, for the benefit of both their customers and the RPs.

Chris

On Thu, Jan 22, 2009 at 3:38 PM, Sabari Devadoss <sabari_d at yahoo.com> wrote:

>
> Yes, I should clarify my comment.  Our (Yahoo!) current test implementation
> of sreg actually passes the actual Yahoo! email address of the user.   The
> benefit of passing the Yahoo! email address associated with the Yahoo!
> OpenID identifier is that it alleviates the need by the RP to require an
> additional step for the verification of the email address which they receive
> as part of sreg.  Obviously this only works when the OP is also the actual
> email provider of the email being forwarded.  I understand that sreg doesn't
> specifically call out if the email address is verified or not and I agree
> that having a new attribute for verified email as part of A/X 2.0 is a great
> idea.
>
> Regards,
> Sabari
>
> Date: Thu, 22 Jan 2009 12:22:28 -0500
> From: George Fletcher <gffletch at aol.com>
> Subject: Re: Account recovery
> To: OpenID user experience <user-experience at openid.net>
> Message-ID: <4978AB54.9000109 at aol.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Very cool. Maybe I mis-understood Sabari's email, but I got the
> impression that Yahoo! was testing support for verified email in the
> SREG protocol and so I was wondering how that's being done. If there is
> a simple extension to use until AX 2.0 is out and we've (AOL) upgraded
> to AX from SREG, then I'm interested even if it's not 100% official.
>
> Thanks,
> George
>
> Breno de Medeiros wrote:
> >
> >
> > On Thu, Jan 22, 2009 at 5:25 AM, George Fletcher <gffletch at aol.com
> > <mailto:gffletch at aol.com>> wrote:
> >
> >     Curious as to how you pass the verified email address using SREG
> >     (since the spec doesn't allow for this). Do you just assume that
> >     if the RP asks for the opeid.sreg.email that the RP want's the
> >     verified email address and the user has no choice about supplying
> >     a different email address?
> >
> >     I know for me, that depending on the site I'm logging into with my
> >     OpenID, I might not want to use the verified email address
> >     attached to the OpenID. I tend to use different email addresses
> >     for different purposes, and forcing me to use the verified email
> >     address on my OpenID would "pollute" that separation I'm trying to
> >     maintain:)
> >
> >     That said, I'm all for supporting verified email in SREG, I think
> >     we just need an extension so that the RP can specify specifically
> >     whether it wants a user selected email address? or the OP verified
> >     email address for the user.
> >
> >
> > That's hopefully coming in AX 2.0.
> >
> >
> >
> >
> >     Thanks,
> >     George
> >
> >
> >     Sabari Devadoss wrote:
> >
> >             Perhaps email is something that you have to have in order
> >             to sign up
> >             and access sites, but I'm not sure, again, that that's
> >             true for all
> >             audiences. I think more research is necessary in this
> >             area, and in
> >             specific applications.
> >
> >             Chris
> >
> >
> >
> >         If the OP passes a verified email address via sreg or A/X then
> >         the RP can store this information and use it for AR purposes
> >         in cases where the user has forgotten the identifier used to
> >         log into the RP.  One caveat is that the email being passed by
> >         the OP should be a verified email address.   As part of the
> >         sreg testing currently underway at Yahoo! we pass the Yahoo!
> >         email address attached to the identifier which requires no
> >         additional email verification step on the RP's part.
> >         _______________________________________________
> >         user-experience mailing list
> >        user-experience at openid.net <mailto:user-experience at openid.net>
> >        http://openid.net/mailman/listinfo/user-experience
> >
> >
> >
> >     _______________________________________________
> >     user-experience mailing list
> >    user-experience at openid.net <mailto:user-experience at openid.net>
> >    http://openid.net/mailman/listinfo/user-experience
> >
> >
> >
> >
> > --
> > --Breno
> >
> > +1 (650) 214-1007 desk
> > +1 (408) 212-0135 (Grand Central)
> > MTV-41-3 : 383-A
> > PST (GMT-8) / PDT(GMT-7)
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > user-experience mailing list
> > user-experience at openid.net
> > http://openid.net/mailman/listinfo/user-experience
> >
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>



-- 

Chris

--
Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large

factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090122/d3c9cac8/attachment-0002.htm>


More information about the user-experience mailing list