mart at degeneration.co.uk
Fri Jan 23 02:09:08 UTC 2009
Allen Tom wrote:
> In Yahoo's case (and as I believe Google's case), the only email address
> that we return is the @yahoo.com address that is bound to the user's
> account. It is more than just a verified email address, the OP is
> actually the authority for email address.
My Google account uses a non-gmail email address, and Google returns
this in AX responses.
I believe Plaxo currently just takes anything from Google's OP as
verified, which seems sane to me.
> It would be great if there was a way for an RP to discover if the user's
> OP is authoritative for the user's email address.
I still think that using the email address *as* the OpenID identifier is
the best way to achieve this. A prerequisite of that is to somehow
support discovery on the email address which allows you to determine
which OpenID provider is authoritative for it.
In Yahoo's case where directed identity is used I would expect this to
manifest as a directed identity response with the identity set to
mailto:username at yahoo.com, at which point the RP would do discovery on
that email address (using a mechanism still to be determined) and find
that the OP is indeed allowed to make assertions for that email address,
just as we do for HTTP URLs today.
More information about the user-experience