Account recovery

[Martin Atkins]

Allen Tom wrote:
> In Yahoo's case (and as I believe Google's case), the only email address 
> that we return is the @yahoo.com address that is bound to the user's 
> account. It is more than just a verified email address, the OP is 
> actually the authority for email address.

My Google account uses a non-gmail email address, and Google returns 
this in AX responses.

I believe Plaxo currently just takes anything from Google's OP as 
verified, which seems sane to me.

> It would be great if there was a way for an RP to discover if the user's 
> OP is authoritative for the user's email address.
> 

I still think that using the email address *as* the OpenID identifier is 
the best way to achieve this. A prerequisite of that is to somehow 
support discovery on the email address which allows you to determine 
which OpenID provider is authoritative for it.

In Yahoo's case where directed identity is used I would expect this to 
manifest as a directed identity response with the identity set to 
mailto:username at yahoo.com, at which point the RP would do discovery on 
that email address (using a mechanism still to be determined) and find 
that the OP is indeed allowed to make assertions for that email address, 
just as we do for HTTP URLs today.