On Mon, Sep 20, 2010 at 2:06 PM, Maciej Piechotka <[email protected]> wrote: > On Sun, 2010-09-19 at 17:12 +0200, Michael Snoyman wrote: >> >> Let me respond to this directly since a number of people have brought >> this up: >> >> Due to spam reasons we can't trust the email given via an OpenID >> provider in general. For example, it would be trivial for me to create >> an OpenID provider for myself, set my email address as <insert someone >> else's address here> and essentially spam them. >> >> By going with a service like Facebook or Google, we know (or at least >> assume) that they do proper email validation, so we could immediately >> accept this value without needing to verify it ourselves. >> >> In other words: Yes, I know there are extensions to OpenID. And no, we >> can't use it to get a verified email address. >> >> Michael > > There are people who for whatever reason don't use Facebook/Google/.... > And sending verification e-mail costs practically nothing. > > Regards > > PS. If we have on-site registration it would have unverified e-mail as > well.
>From my original email: * Username/password on the site. But who wants to deal with *another* password? * OpenID. Fixes the extra password problem, but doesn't give us any extra information about the user (email address, etc). * Facebook/Twitter/Google: We get the users email address, but do we *really* want to force users to have one of those accounts? I disagree with the sentiment of "sending a verification e-mail costs practically nothing". While *sending* it is cheap, we then need to wait for users to respond to it. Compare this with a Google/Facebook login scenario, where they click a button on our site, click approve on Google/Facebook, and are completely approved. Michael _______________________________________________ Haskell-Cafe mailing list [email protected] http://www.haskell.org/mailman/listinfo/haskell-cafe
