Account recovery
Allen Tom
atom at yahoo-inc.com
Fri Jan 23 01:38:35 UTC 2009
We'd like to extend both SReg and AX to indicate when the email was
verified. As I also mentioned in a previous mail, we'd also like a
mechanism (perhaps via discovery) for an RP to determine if the OP is
authoritative for the returned email address.
Allen
George Fletcher wrote:
> Very cool. Maybe I mis-understood Sabari's email, but I got the
> impression that Yahoo! was testing support for verified email in the
> SREG protocol and so I was wondering how that's being done. If there
> is a simple extension to use until AX 2.0 is out and we've (AOL)
> upgraded to AX from SREG, then I'm interested even if it's not 100%
> official.
>
> Thanks,
> George
>
> Breno de Medeiros wrote:
>>
>>
>> On Thu, Jan 22, 2009 at 5:25 AM, George Fletcher <gffletch at aol.com
>> <mailto:gffletch at aol.com>> wrote:
>>
>> Curious as to how you pass the verified email address using SREG
>> (since the spec doesn't allow for this). Do you just assume that
>> if the RP asks for the opeid.sreg.email that the RP want's the
>> verified email address and the user has no choice about supplying
>> a different email address?
>>
>> I know for me, that depending on the site I'm logging into with my
>> OpenID, I might not want to use the verified email address
>> attached to the OpenID. I tend to use different email addresses
>> for different purposes, and forcing me to use the verified email
>> address on my OpenID would "pollute" that separation I'm trying to
>> maintain:)
>>
>> That said, I'm all for supporting verified email in SREG, I think
>> we just need an extension so that the RP can specify specifically
>> whether it wants a user selected email address? or the OP verified
>> email address for the user.
>>
>>
>> That's hopefully coming in AX 2.0.
>>
>>
>>
>>
>> Thanks,
>> George
>>
>>
>> Sabari Devadoss wrote:
>>
>> Perhaps email is something that you have to have in order
>> to sign up
>> and access sites, but I'm not sure, again, that that's
>> true for all
>> audiences. I think more research is necessary in this
>> area, and in
>> specific applications.
>>
>> Chris
>>
>>
>> If the OP passes a verified email address via sreg or A/X then
>> the RP can store this information and use it for AR purposes
>> in cases where the user has forgotten the identifier used to
>> log into the RP. One caveat is that the email being passed by
>> the OP should be a verified email address. As part of the
>> sreg testing currently underway at Yahoo! we pass the Yahoo!
>> email address attached to the identifier which requires no
>> additional email verification step on the RP's part.
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net <mailto:user-experience at openid.net>
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net <mailto:user-experience at openid.net>
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
More information about the user-experience
mailing list