> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Gabe Wachob > Sent: Wednesday, February 28, 2007 3:02 PM > To: 'Drummond Reed'; 'Martin Atkins'; specs@openid.net > Subject: Proposal for Modularizing Auth 2.0 Discovery > <snip> > > Basically, the Discovery Spec would specify that for any identifier scheme > to work with OpenID, it MUST define a way of being constructed into an > HTTP > URI and then returning a XRDS with an HTTP GET on that HTTP URI. If there > are other ways of resolving it, then implementations MAY use those other > methods of resolution ("native resolution", if you will). In essence, this > is a requirement for HTTP gateway(s) to whatever resolution infrastructure > exists today.
+1. Wherever we go from here, we need to be clear and define exactly what *is* and what *is not* an Open Id Identifier. A while back there was <understatement>some talk</understatement> about whether email addresses should be used as 1st-Class or 2nd-Class OpenIds (see the wiki here http://openid.net/wiki/index.php/Debating_Emails_as_1st-Class_or_2nd-Class_C itizens). I think it is important to be clear that it is *not* a great idea to use certain "other" identifiers (email address, phone number, etc) *as* OpenIds. Rather, these should instead map to OpenId Http URL's (or XRI's if possible). This is important because profile attributes like email address, telephone number, etc may or may not be private in certain circumstances. For example, logging-in with my email address at an RP, which maps my email address to a publicly-displayable OpenId, is an ok thing to do assuming I trust the RP with my email address (The RP will hopefully respect my privacy by displaying my mapped OpenId URL or XRI on publicly facing pages where appropriate). If we drift into the territory that says "emails addresses (or other profile attributes) *are* OpenIds", then RP's and end-users will run into lots of problems -- E.g., an RP has a publicly facing page that needs to show a user's identifier, but doing so with an email OpenId would be bad for the end user, so the RP is stuck. Bottom Line (repeating myself): We need to be clear and define exactly what *is* and what *is not* an Open Id Identifier. I think the current spec is right on the money here: OpenId Identifiers should be an Http URI or an XRI. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
