On Wed, Oct 17, 2012 at 3:51 PM, alex <[email protected]> wrote: > I'm not currently proposing anything but it's an interesting conversation. > > It's true many sites require email but I, as a user, at least would > like to have a choice and not being forced to.
I get that, but I posit that: * You the user aren't the one who gets to make that decision. You can decide that you don't want to log into the site because it asks for an email address, but you are in a *very* tiny minority. Websites want email addresses, and 99.9% of users are comfortable giving it. * Users don't understand identity as something other than email address. There are only two other contending identities - Facebook and Twitter (and Twitter is pretty much geeks-only, so that leaves Facebook). Google isn't included - if you talk to nontechnical users, they don't quite grok the idea of a Google account yet. "You mean gmail? I don't use gmail." > It is also true though that an average user "host" their emails > somewhere like Google, Yahoo!, Windows Live, whatever. Not only that, > they also use their emails under the TOS of those providers. That's, > for one, a reason why I don't believe email is the answer, but I do > favor the fact that Persona exists because I think it might bring some > new ideas in the future. In a broader sense, Persona is not really about email. It's an arbitrary identity system defined by user@domain. It just happens to overlap with email, which is critical because nontechnical users don't understand the difference - they just know that user@domain is "me". But user@domain does not need to be routable. You can set up your own IdP for you@yourhost. If you control your domain name, you control your identity. If you use @gmail.com, Google controls your identity. But at least it's distributed - if you don't like Google, go with Yahoo or MSN or anyone else. You can't say the same about Facebook or Twitter identities. > I remember seeing lots of t-shirts with Twitter @handlers. I recall > people going crazy when Facebook started introducing vanity URLs. I > also remember everybody sticking QR codes on every corner at some > point. Those are just a couple examples of identities probably as good > as your [email protected] ID. Identity is a huge and interesting topic, > but not for this forum. Twitter and Facebook identities are not distributed, and completely at the mercy of Facebook's and Twitter's TOS. This alone makes them *vastly* less desirable than user@domain. QR codes aren't an identity, just a possible representation of an identity (a url? an email address?). And OpenID tried using URLs as identifiers - oh boy was that a disaster. Users don't understand "I am a URL". For better or worse, it keeps coming back to email. > BTW, authentication is one of the things OAuth kinda does address. > Check out the RFCs, I'm sure you'll find lots of interesting info. Even if OAuth provides authentication, where does the _identity_ come from? If I'm not mistaken, at best it offers the horrible NASCAR-style UX we get with OpenID today - "pick your auth provider, Gmail/AOL/Yahoo/etc". Jeff -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
