Account recovery
Allen Tom
atom at yahoo-inc.com
Fri Jan 23 01:36:26 UTC 2009
In Yahoo's case (and as I believe Google's case), the only email address
that we return is the @yahoo.com address that is bound to the user's
account. It is more than just a verified email address, the OP is
actually the authority for email address.
It would be great if there was a way for an RP to discover if the user's
OP is authoritative for the user's email address.
Allen
Chris Messina wrote:
> Yeah, this is something that would need to be done as an extension to
> SREG.
>
> I think it certainly has value -- and I'm curious whether RPs would
> trust an OP assertion about whether an email address is actually
> valid... for example, I'd think it'd be important to know WHEN it was
> last validated -- two years ago? Last week? I know on many mailing
> lists I manage, lots of email addresses eventually bounce -- and the
> user never unsubscribes or anything. And of course, different OPs may
> have different policies when it comes to verifying an email address --
> so the RP might as well go ahead and do independent verification
> (hella annoying for the user!).
>
> This is inline with why I think both email-style identifiers is
> critical in OpenID 2.1 -- as well as formalizing some kind of
> message-sending API over OpenID. The reality is, RPs want and need to
> send messages to users -- OPs should facilitate that, for the benefit
> of both their customers and the RPs.
>
> Chris
>
> On Thu, Jan 22, 2009 at 3:38 PM, Sabari Devadoss <sabari_d at yahoo.com
> <mailto:sabari_d at yahoo.com>> wrote:
>
>
> Yes, I should clarify my comment. Our (Yahoo!) current test
> implementation of sreg actually passes the actual Yahoo! email
> address of the user. The benefit of passing the Yahoo! email
> address associated with the Yahoo! OpenID identifier is that it
> alleviates the need by the RP to require an additional step for
> the verification of the email address which they receive as part
> of sreg. Obviously this only works when the OP is also the actual
> email provider of the email being forwarded. I understand that
> sreg doesn't specifically call out if the email address is
> verified or not and I agree that having a new attribute for
> verified email as part of A/X 2.0 is a great idea.
>
> Regards,
> Sabari
>
> Date: Thu, 22 Jan 2009 12:22:28 -0500
> From: George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com>>
> Subject: Re: Account recovery
> To: OpenID user experience <user-experience at openid.net
> <mailto:user-experience at openid.net>>
> Message-ID: <4978AB54.9000109 at aol.com
> <mailto:4978AB54.9000109 at aol.com>>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Very cool. Maybe I mis-understood Sabari's email, but I got the
> impression that Yahoo! was testing support for verified email in the
> SREG protocol and so I was wondering how that's being done. If
> there is
> a simple extension to use until AX 2.0 is out and we've (AOL) upgraded
> to AX from SREG, then I'm interested even if it's not 100% official.
>
> Thanks,
> George
>
> Breno de Medeiros wrote:
> >
> >
> > On Thu, Jan 22, 2009 at 5:25 AM, George Fletcher
> <gffletch at aol.com <mailto:gffletch at aol.com>
> > <mailto:gffletch at aol.com <mailto:gffletch at aol.com>>> wrote:
> >
> > Curious as to how you pass the verified email address using SREG
> > (since the spec doesn't allow for this). Do you just assume that
> > if the RP asks for the opeid.sreg.email that the RP want's the
> > verified email address and the user has no choice about
> supplying
> > a different email address?
> >
> > I know for me, that depending on the site I'm logging into
> with my
> > OpenID, I might not want to use the verified email address
> > attached to the OpenID. I tend to use different email addresses
> > for different purposes, and forcing me to use the verified email
> > address on my OpenID would "pollute" that separation I'm
> trying to
> > maintain:)
> >
> > That said, I'm all for supporting verified email in SREG, I
> think
> > we just need an extension so that the RP can specify
> specifically
> > whether it wants a user selected email address? or the OP
> verified
> > email address for the user.
> >
> >
> > That's hopefully coming in AX 2.0.
> >
> >
> >
> >
> > Thanks,
> > George
> >
> >
> > Sabari Devadoss wrote:
> >
> > Perhaps email is something that you have to have in
> order
> > to sign up
> > and access sites, but I'm not sure, again, that that's
> > true for all
> > audiences. I think more research is necessary in this
> > area, and in
> > specific applications.
> >
> > Chris
> >
> >
> >
> > If the OP passes a verified email address via sreg or
> A/X then
> > the RP can store this information and use it for AR purposes
> > in cases where the user has forgotten the identifier used to
> > log into the RP. One caveat is that the email being
> passed by
> > the OP should be a verified email address. As part of the
> > sreg testing currently underway at Yahoo! we pass the Yahoo!
> > email address attached to the identifier which requires no
> > additional email verification step on the RP's part.
> > _______________________________________________
> > user-experience mailing list
> > user-experience at openid.net
> <mailto:user-experience at openid.net>
> <mailto:user-experience at openid.net
> <mailto:user-experience at openid.net>>
> > http://openid.net/mailman/listinfo/user-experience
> >
> >
> >
> > _______________________________________________
> > user-experience mailing list
> > user-experience at openid.net
> <mailto:user-experience at openid.net>
> <mailto:user-experience at openid.net
> <mailto:user-experience at openid.net>>
> > http://openid.net/mailman/listinfo/user-experience
> >
> >
> >
> >
> > --
> > --Breno
> >
> > +1 (650) 214-1007 desk
> > +1 (408) 212-0135 (Grand Central)
> > MTV-41-3 : 383-A
> > PST (GMT-8) / PDT(GMT-7)
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > user-experience mailing list
> > user-experience at openid.net <mailto:user-experience at openid.net>
> > http://openid.net/mailman/listinfo/user-experience
> >
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net <mailto:user-experience at openid.net>
> http://openid.net/mailman/listinfo/user-experience
>
>
>
>
> --
>
> Chris
>
> --
> Chris Messina
> Citizen-Participant &
> Open Web Advocate-at-Large
>
> factoryjoe.com <http://factoryjoe.com> # diso-project.org
> <http://diso-project.org>
> citizenagency.com <http://citizenagency.com> # vidoop.com
> <http://vidoop.com>
> This email is: [ ] bloggable [X] ask first [ ] private
> ------------------------------------------------------------------------
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090122/8be78bf2/attachment-0002.htm>
More information about the user-experience
mailing list