Account recovery

Allen Tom atom at yahoo-inc.com
Fri Jan 23 01:36:26 UTC 2009


In Yahoo's case (and as I believe Google's case), the only email address 
that we return is the @yahoo.com address that is bound to the user's 
account. It is more than just a verified email address, the OP is 
actually the authority for email address.

It would be great if there was a way for an RP to discover if the user's 
OP is authoritative for the user's email address.

Allen


Chris Messina wrote:
> Yeah, this is something that would need to be done as an extension to 
> SREG.
>
> I think it certainly has value -- and I'm curious whether RPs would 
> trust an OP assertion about whether an email address is actually 
> valid... for example, I'd think it'd be important to know WHEN it was 
> last validated -- two years ago? Last week? I know on many mailing 
> lists I manage, lots of email addresses eventually bounce -- and the 
> user never unsubscribes or anything. And of course, different OPs may 
> have different policies when it comes to verifying an email address -- 
> so the RP might as well go ahead and do independent verification 
> (hella annoying for the user!).
>
> This is inline with why I think both email-style identifiers is 
> critical in OpenID 2.1 -- as well as formalizing some kind of 
> message-sending API over OpenID. The reality is, RPs want and need to 
> send messages to users -- OPs should facilitate that, for the benefit 
> of both their customers and the RPs.
>
> Chris
>
> On Thu, Jan 22, 2009 at 3:38 PM, Sabari Devadoss <sabari_d at yahoo.com 
> <mailto:sabari_d at yahoo.com>> wrote:
>
>
>     Yes, I should clarify my comment.  Our (Yahoo!) current test
>     implementation of sreg actually passes the actual Yahoo! email
>     address of the user.   The benefit of passing the Yahoo! email
>     address associated with the Yahoo! OpenID identifier is that it
>     alleviates the need by the RP to require an additional step for
>     the verification of the email address which they receive as part
>     of sreg.  Obviously this only works when the OP is also the actual
>     email provider of the email being forwarded.  I understand that
>     sreg doesn't specifically call out if the email address is
>     verified or not and I agree that having a new attribute for
>     verified email as part of A/X 2.0 is a great idea.
>
>     Regards,
>     Sabari
>
>     Date: Thu, 22 Jan 2009 12:22:28 -0500
>     From: George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com>>
>     Subject: Re: Account recovery
>     To: OpenID user experience <user-experience at openid.net
>     <mailto:user-experience at openid.net>>
>     Message-ID: <4978AB54.9000109 at aol.com
>     <mailto:4978AB54.9000109 at aol.com>>
>     Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>     Very cool. Maybe I mis-understood Sabari's email, but I got the
>     impression that Yahoo! was testing support for verified email in the
>     SREG protocol and so I was wondering how that's being done. If
>     there is
>     a simple extension to use until AX 2.0 is out and we've (AOL) upgraded
>     to AX from SREG, then I'm interested even if it's not 100% official.
>
>     Thanks,
>     George
>
>     Breno de Medeiros wrote:
>     >
>     >
>     > On Thu, Jan 22, 2009 at 5:25 AM, George Fletcher
>     <gffletch at aol.com <mailto:gffletch at aol.com>
>     > <mailto:gffletch at aol.com <mailto:gffletch at aol.com>>> wrote:
>     >
>     >     Curious as to how you pass the verified email address using SREG
>     >     (since the spec doesn't allow for this). Do you just assume that
>     >     if the RP asks for the opeid.sreg.email that the RP want's the
>     >     verified email address and the user has no choice about
>     supplying
>     >     a different email address?
>     >
>     >     I know for me, that depending on the site I'm logging into
>     with my
>     >     OpenID, I might not want to use the verified email address
>     >     attached to the OpenID. I tend to use different email addresses
>     >     for different purposes, and forcing me to use the verified email
>     >     address on my OpenID would "pollute" that separation I'm
>     trying to
>     >     maintain:)
>     >
>     >     That said, I'm all for supporting verified email in SREG, I
>     think
>     >     we just need an extension so that the RP can specify
>     specifically
>     >     whether it wants a user selected email address? or the OP
>     verified
>     >     email address for the user.
>     >
>     >
>     > That's hopefully coming in AX 2.0.
>     >
>     >
>     >
>     >
>     >     Thanks,
>     >     George
>     >
>     >
>     >     Sabari Devadoss wrote:
>     >
>     >             Perhaps email is something that you have to have in
>     order
>     >             to sign up
>     >             and access sites, but I'm not sure, again, that that's
>     >             true for all
>     >             audiences. I think more research is necessary in this
>     >             area, and in
>     >             specific applications.
>     >
>     >             Chris
>     >
>     >
>     >
>     >         If the OP passes a verified email address via sreg or
>     A/X then
>     >         the RP can store this information and use it for AR purposes
>     >         in cases where the user has forgotten the identifier used to
>     >         log into the RP.  One caveat is that the email being
>     passed by
>     >         the OP should be a verified email address.   As part of the
>     >         sreg testing currently underway at Yahoo! we pass the Yahoo!
>     >         email address attached to the identifier which requires no
>     >         additional email verification step on the RP's part.
>     >         _______________________________________________
>     >         user-experience mailing list
>     >        user-experience at openid.net
>     <mailto:user-experience at openid.net>
>     <mailto:user-experience at openid.net
>     <mailto:user-experience at openid.net>>
>     >        http://openid.net/mailman/listinfo/user-experience
>     >
>     >
>     >
>     >     _______________________________________________
>     >     user-experience mailing list
>     >    user-experience at openid.net
>     <mailto:user-experience at openid.net>
>     <mailto:user-experience at openid.net
>     <mailto:user-experience at openid.net>>
>     >    http://openid.net/mailman/listinfo/user-experience
>     >
>     >
>     >
>     >
>     > --
>     > --Breno
>     >
>     > +1 (650) 214-1007 desk
>     > +1 (408) 212-0135 (Grand Central)
>     > MTV-41-3 : 383-A
>     > PST (GMT-8) / PDT(GMT-7)
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > user-experience mailing list
>     > user-experience at openid.net <mailto:user-experience at openid.net>
>     > http://openid.net/mailman/listinfo/user-experience
>     >
>     _______________________________________________
>     user-experience mailing list
>     user-experience at openid.net <mailto:user-experience at openid.net>
>     http://openid.net/mailman/listinfo/user-experience
>
>
>
>
> -- 
>
> Chris
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com <http://factoryjoe.com> # diso-project.org 
> <http://diso-project.org>
> citizenagency.com <http://citizenagency.com> # vidoop.com 
> <http://vidoop.com>
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> ------------------------------------------------------------------------
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090122/8be78bf2/attachment-0002.htm>


More information about the user-experience mailing list