Account recovery

Martin Atkins mart at
Fri Jan 23 01:04:25 UTC 2009

Sabari Devadoss wrote:
> Yes, I should clarify my comment.  Our (Yahoo!) current test implementation of sreg actually passes the actual Yahoo! email address of the user.   The benefit of passing the Yahoo! email address associated with the Yahoo! OpenID identifier is that it alleviates the need by the RP to require an additional step for the verification of the email address which they receive as part of sreg.  Obviously this only works when the OP is also the actual email provider of the email being forwarded.  I understand that sreg doesn't specifically call out if the email address is verified or not and I agree that having a new attribute for verified email as part of A/X 2.0 is a great idea.  

Unless there is a provider that returns both verified and unverified 
email addresses, it would seem to me that RPs can simply have a list of 
which OPs are trusted to supply verified email addresses.

Having a flag that says "this is verified" doesn't avoid having an OP 
whitelist, so I don't personally think it's worth complicating SREG with it.

More information about the user-experience mailing list