<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
In Yahoo's case (and as I believe Google's case), the only email
address that we return is the @yahoo.com address that is bound to the
user's account. It is more than just a verified email address, the OP
is actually the authority for email address.<br>
<br>
It would be great if there was a way for an RP to discover if the
user's OP is authoritative for the user's email address.<br>
<br>
Allen<br>
<br>
<br>
Chris Messina wrote:
<blockquote
cite="mid:1bc4603e0901221553s4108bc1l23b34a3f1a918b4c@mail.gmail.com"
type="cite">Yeah, this is something that would need to be done as an
extension to SREG.
<div><br>
</div>
<div>I think it certainly has value -- and I'm curious whether RPs
would trust an OP assertion about whether an email address is actually
valid... for example, I'd think it'd be important to know WHEN it was
last validated -- two years ago? Last week? I know on many mailing
lists I manage, lots of email addresses eventually bounce -- and the
user never unsubscribes or anything. And of course, different OPs may
have different policies when it comes to verifying an email address --
so the RP might as well go ahead and do independent verification (hella
annoying for the user!).</div>
<div><br>
</div>
<div>This is inline with why I think both email-style identifiers is
critical in OpenID 2.1 -- as well as formalizing some kind of
message-sending API over OpenID. The reality is, RPs want and need to
send messages to users -- OPs should facilitate that, for the benefit
of both their customers and the RPs.</div>
<div><br>
</div>
<div>Chris<br>
<div>
<div><br>
<div class="gmail_quote">On Thu, Jan 22, 2009 at 3:38 PM, Sabari
Devadoss <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sabari_d@yahoo.com">sabari_d@yahoo.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Yes, I should clarify my comment. Our (Yahoo!) current test
implementation of sreg actually passes the actual Yahoo! email address
of the user. The benefit of passing the Yahoo! email address
associated with the Yahoo! OpenID identifier is that it alleviates the
need by the RP to require an additional step for the verification of
the email address which they receive as part of sreg. Obviously this
only works when the OP is also the actual email provider of the email
being forwarded. I understand that sreg doesn't specifically call out
if the email address is verified or not and I agree that having a new
attribute for verified email as part of A/X 2.0 is a great idea.<br>
<br>
Regards,<br>
Sabari<br>
<br>
Date: Thu, 22 Jan 2009 12:22:28 -0500<br>
From: George Fletcher <<a moz-do-not-send="true"
href="mailto:gffletch@aol.com">gffletch@aol.com</a>><br>
Subject: Re: Account recovery<br>
To: OpenID user experience <<a moz-do-not-send="true"
href="mailto:user-experience@openid.net">user-experience@openid.net</a>><br>
Message-ID: <<a moz-do-not-send="true"
href="mailto:4978AB54.9000109@aol.com">4978AB54.9000109@aol.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<div>
<div class="Wj3C7c"><br>
Very cool. Maybe I mis-understood Sabari's email, but I got the<br>
impression that Yahoo! was testing support for verified email in the<br>
SREG protocol and so I was wondering how that's being done. If there is<br>
a simple extension to use until AX 2.0 is out and we've (AOL) upgraded<br>
to AX from SREG, then I'm interested even if it's not 100% official.<br>
<br>
Thanks,<br>
George<br>
<br>
Breno de Medeiros wrote:<br>
><br>
><br>
> On Thu, Jan 22, 2009 at 5:25 AM, George Fletcher <<a
moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a><br>
> <mailto:<a moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>>>
wrote:<br>
><br>
> Curious as to how you pass the verified email address using
SREG<br>
> (since the spec doesn't allow for this). Do you just assume
that<br>
> if the RP asks for the opeid.sreg.email that the RP want's the<br>
> verified email address and the user has no choice about
supplying<br>
> a different email address?<br>
><br>
> I know for me, that depending on the site I'm logging into
with my<br>
> OpenID, I might not want to use the verified email address<br>
> attached to the OpenID. I tend to use different email addresses<br>
> for different purposes, and forcing me to use the verified
email<br>
> address on my OpenID would "pollute" that separation I'm
trying to<br>
> maintain:)<br>
><br>
> That said, I'm all for supporting verified email in SREG, I
think<br>
> we just need an extension so that the RP can specify
specifically<br>
> whether it wants a user selected email address? or the OP
verified<br>
> email address for the user.<br>
><br>
><br>
> That's hopefully coming in AX 2.0.<br>
><br>
><br>
><br>
><br>
> Thanks,<br>
> George<br>
><br>
><br>
> Sabari Devadoss wrote:<br>
><br>
> Perhaps email is something that you have to have in
order<br>
> to sign up<br>
> and access sites, but I'm not sure, again, that that's<br>
> true for all<br>
> audiences. I think more research is necessary in this<br>
> area, and in<br>
> specific applications.<br>
><br>
> Chris<br>
><br>
><br>
><br>
> If the OP passes a verified email address via sreg or A/X
then<br>
> the RP can store this information and use it for AR
purposes<br>
> in cases where the user has forgotten the identifier used
to<br>
> log into the RP. One caveat is that the email being
passed by<br>
> the OP should be a verified email address. As part of the<br>
> sreg testing currently underway at Yahoo! we pass the
Yahoo!<br>
> email address attached to the identifier which requires no<br>
> additional email verification step on the RP's part.<br>
> _______________________________________________<br>
> user-experience mailing list<br>
> <a moz-do-not-send="true"
href="mailto:user-experience@openid.net">user-experience@openid.net</a>
<mailto:<a moz-do-not-send="true"
href="mailto:user-experience@openid.net">user-experience@openid.net</a>><br>
> <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/user-experience"
target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> user-experience mailing list<br>
> <a moz-do-not-send="true"
href="mailto:user-experience@openid.net">user-experience@openid.net</a>
<mailto:<a moz-do-not-send="true"
href="mailto:user-experience@openid.net">user-experience@openid.net</a>><br>
> <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/user-experience"
target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
><br>
><br>
><br>
><br>
> --<br>
> --Breno<br>
><br>
> +1 (650) 214-1007 desk<br>
> +1 (408) 212-0135 (Grand Central)<br>
> MTV-41-3 : 383-A<br>
> PST (GMT-8) / PDT(GMT-7)<br>
>
------------------------------------------------------------------------<br>
><br>
> _______________________________________________<br>
> user-experience mailing list<br>
> <a moz-do-not-send="true" href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
> <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/user-experience"
target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
><br>
_______________________________________________<br>
user-experience mailing list<br>
<a moz-do-not-send="true" href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/user-experience"
target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<br>
Chris<br>
<br>
--<br>
Chris Messina<br>
Citizen-Participant &<br>
Open Web Advocate-at-Large<br>
<br>
<a moz-do-not-send="true" href="http://factoryjoe.com">factoryjoe.com</a>
# <a moz-do-not-send="true" href="http://diso-project.org">diso-project.org</a><br>
<a moz-do-not-send="true" href="http://citizenagency.com">citizenagency.com</a>
# <a moz-do-not-send="true" href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>
</div>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
user-experience mailing list
<a class="moz-txt-link-abbreviated" href="mailto:user-experience@openid.net">user-experience@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/user-experience">http://openid.net/mailman/listinfo/user-experience</a>
</pre>
</blockquote>
<br>
</body>
</html>