Account recovery

Breno de Medeiros breno at google.com
Fri Jan 23 02:27:55 UTC 2009


For the record, the Google OP only returns validated email addresses.
It is possible to create Google Accounts for some Google properties
without validating the email address but the Google OP will not assert
these emails, since otherwise RPs would not be able to accept any
non-Gmail address from Google without independent validation.

It is quite possible that some RPs would be happy to get any email
address from Google users, and I hope AX 2.0 will also allow for RPs
to communicate that they do not require validation, and OPs to give an
answer + convey the information whether they were validated or not.
This way the RPs will always be able to provide users with optimal
experience.

On Thu, Jan 22, 2009 at 6:09 PM, Martin Atkins <mart at degeneration.co.uk> wrote:
> Allen Tom wrote:
>>
>> In Yahoo's case (and as I believe Google's case), the only email address
>> that we return is the @yahoo.com address that is bound to the user's
>> account. It is more than just a verified email address, the OP is actually
>> the authority for email address.
>
> My Google account uses a non-gmail email address, and Google returns this in
> AX responses.
>
> I believe Plaxo currently just takes anything from Google's OP as verified,
> which seems sane to me.
>
>> It would be great if there was a way for an RP to discover if the user's
>> OP is authoritative for the user's email address.
>>
>
> I still think that using the email address *as* the OpenID identifier is the
> best way to achieve this. A prerequisite of that is to somehow support
> discovery on the email address which allows you to determine which OpenID
> provider is authoritative for it.
>
> In Yahoo's case where directed identity is used I would expect this to
> manifest as a directed identity response with the identity set to
> mailto:username at yahoo.com, at which point the RP would do discovery on that
> email address (using a mechanism still to be determined) and find that the
> OP is indeed allowed to make assertions for that email address, just as we
> do for HTTP URLs today.
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)



More information about the user-experience mailing list