Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread Brad Fitzpatrick
This has been discussed to death and really should be a FAQ by now, but it's
not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and
ignore what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to
type in yahoo.com, or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may
be the correct way, but average people don't control their DNS.  Hell,
networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an
XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple
says try Accept header, then parse the head tag, a good email-to-URL
lookup protocol (best practice?) might be to try NAPTR first, then fall
back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones [EMAIL PROTECTED]:

  Folks,



 I've seen discussion here and there on the use of the e-mail address as
 the OpenID identifier.  Perhaps this one says it best:

 http://www.majordojo.com/2007/02/what-openid-needs.php



 I share many of same opinions.  If OpenID is going to be practically
 usable by the average person, we cannot require the person to remember some
 very complex identifier.  When I signed up for Yahoo's OpenID service, it
 presented me with a hideously ugly URL that looked similar to a
 base64-encoded string.  I could not begin to tell you what it was.
 Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
 ID is not one that the average user will remember or get right.



 While the e-mail address does not have to be the one's ID, it can
 certainly serve as an alias.  Suppose, for example, that the DNS records at
 Yahoo contained the following entry:



   yahoo.com. IN NAPTR 100 10 U OpenID2
 ^(.+)@(.*)$!https://me.yahoo.com/\1!i;



 This would allow a Relaying Party to accept an e-mail address and perform
 a simple transformation to get the real URL identifier.  Of course, this
 does not mean that the existing URL or XRI identifiers are invalid, nor does
 it mean that the email address has to be a real e-mail address.  But, this
 form would certainly be far simpler for most people to deal use.



 If something like this has been discussed and rejected, what was the
 reason?



 Thanks,

 Paul



 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Eran Hammer-Lahav
The beauty of the current OpenID spec is that anyone can implement it and go 
live. However, with email identifiers you need email providers to support it. 
If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I 
am sure the others are likely to follow. Get 2 of these 4 and you've got 
something going. But the biggest issue is not picking a standard but finding a 
company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple 
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an 
OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if you 
had a generic way of moving from mailto:[EMAIL PROTECTED] to 
http://example.com/url/user (or any other URI with HTTP, the domain, and the 
user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are 
interested and put out something people can use. After that I expect the 
snowball to roll. So, do you know anyone? :)

EHL

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the 
OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by 
the average person, we cannot require the person to remember some very complex 
identifier.  When I signed up for Yahoo's OpenID service, it presented me with 
a hideously ugly URL that looked similar to a base64-encoded string.  I could 
not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my 
own, friendlier name.  Still, the ID is not one that the average user will 
remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly 
serve as an alias.  Suppose, for example, that the DNS records at Yahoo 
contained the following entry:

  yahoo.com. IN NAPTR 100 10 U OpenID2 
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

This would allow a Relaying Party to accept an e-mail address and perform a 
simple transformation to get the real URL identifier.  Of course, this does 
not mean that the existing URL or XRI identifiers are invalid, nor does it mean 
that the email address has to be a real e-mail address.  But, this form would 
certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, this is the convention that we'll
follow.  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like [EMAIL PROTECTED] and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the [EMAIL PROTECTED] syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if
you had a generic way of moving from mailto:[EMAIL PROTECTED] to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt


On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:


-- that said, with directed identity in OpenID 2.0, a user just  
needs to type in yahoo.com, or press the pretty yahoo button.  No  
typing.


I think this is why we don't need to use emails. People are very  
familiar with typing in a URL in the address bar. The experience of  
entering an URL and then being on that page is also really familiar.  
This is of course what happens when you type the OP into the OpenID  
prompt.


Sorry for not being the least bit supportive of the email as  
identifier idea -- there are just so many things that are bad about it  
and the good reason (an identifier they already know) is provided per  
above with the advantage of giving an expected experience.


I agree with Brad that we need to write a FAQ on this.

-- Dick___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Eran Hammer-Lahav
Take a look at 
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially 
the list of other solutions proposed before me, as well as Brad's proposal.

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this 
DNS, and they *are* the email providers.

EHL

From: Paul E. Jones [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

Eran,

You're entirely correct that this is not an OpenID issue, per se.  In fact, not 
a single word of text would need to be changed in the current v2 specs, as far 
as I'm concerned.

But, I do think that it will take some of the core OpenID team members to put a 
stake in the ground and say, this is the convention that we'll follow.  What 
needs to happen then is perhaps an extension written that explains how to 
convert an email address to a URL.  Using NAPTR records seems like the simplest 
way to do it to me, but I'm open to suggestions.

Perhaps it is important to say, though, that I do not think it requires the 
e-mail providers to get on board with this (in my view) simpler notation.  I 
could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com 
would publish the appropriate NAPTR record.  I could also insert NAPTR records 
into the packetizer.com DNS server that would allow me to use my email address, 
but point at my preferred OpenID provider.  In short, just because the [EMAIL 
PROTECTED] syntax is used does not mean that it necessarily an e-mail address: 
it could be, but more importantly, it just follows that familiar format 
documented in RFC 822.

Paul

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

The beauty of the current OpenID spec is that anyone can implement it and go 
live. However, with email identifiers you need email providers to support it. 
If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I 
am sure the others are likely to follow. Get 2 of these 4 and you've got 
something going. But the biggest issue is not picking a standard but finding a 
company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple 
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an 
OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if you 
had a generic way of moving from mailto:[EMAIL PROTECTED] to 
http://example.com/url/user (or any other URI with HTTP, the domain, and the 
user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are 
interested and put out something people can use. After that I expect the 
snowball to roll. So, do you know anyone? :)

EHL

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the 
OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by 
the average person, we cannot require the person to remember some very complex 
identifier.  When I signed up for Yahoo's OpenID service, it presented me with 
a hideously ugly URL that looked similar to a base64-encoded string.  I could 
not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my 
own, friendlier name.  Still, the ID is not one that the average user will 
remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly 
serve as an alias.  Suppose, for example, that the DNS records at Yahoo 
contained the following entry:

  yahoo.com. IN NAPTR 100 10 U OpenID2 
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

This would allow a Relaying Party to accept an e-mail address and perform a 
simple transformation to get the real URL identifier.  Of course, this does 
not mean that the existing URL or XRI identifiers are invalid, nor does it mean 
that the email address has to be a real e-mail address.  But, this form would 
certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread James Henstridge
On 02/04/2008, Paul E. Jones [EMAIL PROTECTED] wrote:
 Folks,

 I've seen discussion here and there on the use of the e-mail address as the
 OpenID identifier.  Perhaps this one says it best:

 http://www.majordojo.com/2007/02/what-openid-needs.php

 I share many of same opinions.  If OpenID is going to be practically usable
 by the average person, we cannot require the person to remember some very
 complex identifier.  When I signed up for Yahoo's OpenID service, it
 presented me with a hideously ugly URL that looked similar to a
 base64-encoded string.  I could not begin to tell you what it was.
 Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
 ID is not one that the average user will remember or get right.

 While the e-mail address does not have to be the one's ID, it can certainly
 serve as an alias.  Suppose, for example, that the DNS records at Yahoo
 contained the following entry:

   yahoo.com. IN NAPTR 100 10 U OpenID2
 ^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 This would allow a Relaying Party to accept an e-mail address and perform a
 simple transformation to get the real URL identifier.  Of course, this
 does not mean that the existing URL or XRI identifiers are invalid, nor does
 it mean that the email address has to be a real e-mail address.  But, this
 form would certainly be far simpler for most people to deal use.

If your aim is to let people use an email address as an identifier,
there are a few questions to answer:

1. when a user enters an email address into an RP, how is the claimed
ID derived from that input?

2. given such an input, how does the RP go about discovering the
OpenID endpoint URL and local ID for that identity?

With answers to these two questions, the remainder of the protocol
should function as is.

I'm guessing (correct me if I'm wrong) that you're suggesting that
this DNS lookup be done as part of (1).  This seems like it would
cause confusion if the user's ISP changed their DNS, since the user
would see their email address as being the real identifier: not the
URL that it maps to.

A solution that matches closer with what the user expects would be to
map [EMAIL PROTECTED] to a claimed ID of mailto:[EMAIL PROTECTED].

For (2), I'd suggest a solution that maps the email address to either
directly to an OpenID endpoint (using the claimed ID as local ID), or
to an XRDS file.  A DNS based solution seems fine here (either your
NAPTR idea, or TXT records as suggested in replies to your post).

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Brad,

 

Your point about DNS limitations is valid.  Then again, anybody who will be 
offering the open identity server is likely going to have control over their 
DNS.  Still, I’m not opposed to alternatives.

 

But, since you brought up the fact that one can enter yahoo.com and get 
redirected, I checked and, indeed, several OpenID sites already accept the 
e-mail ID as a form of identification—and I can get redirected to either Yahoo 
or MyOpenID.com.  So, do some of the libraries already check for e-mail address 
forms?  It seems that perhaps they do!

 

Paul

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Fitzpatrick
Sent: Tuesday, April 01, 2008 10:38 PM
To: Paul E. Jones
Cc: specs@openid.net
Subject: Re: Using email address as OpenID identifier

 

This has been discussed to death and really should be a FAQ by now, but it's 
not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and ignore 
what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to type 
in yahoo.com, or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may be 
the correct way, but average people don't control their DNS.  Hell, 
networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an 
XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple says 
try Accept header, then parse the head tag, a good email-to-URL lookup 
protocol (best practice?) might be to try NAPTR first, then fall back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones [EMAIL PROTECTED]:

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the 
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable by 
the average person, we cannot require the person to remember some very complex 
identifier.  When I signed up for Yahoo's OpenID service, it presented me with 
a hideously ugly URL that looked similar to a base64-encoded string.  I could 
not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my 
own, friendlier name.  Still, the ID is not one that the average user will 
remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly 
serve as an alias.  Suppose, for example, that the DNS records at Yahoo 
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2 
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a 
simple transformation to get the real URL identifier.  Of course, this does 
not mean that the existing URL or XRI identifiers are invalid, nor does it mean 
that the email address has to be a real e-mail address.  But, this form would 
certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Dick,

 

On this point, I really have to disagree.  Even I rarely enter a URL into a
web browser. Why bother when I know the web browser will figure it out for
me.  I don't want to type http:// or https:// :-)

 

More importantly, you and I are different than the average users.  I've
watched people struggle with getting addresses properly entered.  I've
watched people put www in front of every name entered into a web browser,
even when the site might be something else.  I've watched users enter \\
rather than //.  I've even no slash at all.

 

So, what I think is important is that users have something simple and
consistent.  As I noted to my message to Brad just a moment ago, it appears
that some sites will accept the e-mail address form and then figure out
where to direct the user.   I was pleasantly surprised.

 

Given that at least some of the sites out there now do operate this way, I
suspect it might just be a matter of time before all of them do.  But, I
think it's important that the user experience is consistent, as you say.  If
email IDs are going to be supported by some, through ought to be supported
by all - even if they do nothing but figure out which OP to direct the
browser to.

 

Paul

 

From: Dick Hardt [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2008 11:45 PM
To: Brad Fitzpatrick
Cc: Paul E. Jones; specs@openid.net
Subject: Re: Using email address as OpenID identifier

 

 

On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:


-- that said, with directed identity in OpenID 2.0, a user just needs to
type in yahoo.com, or press the pretty yahoo button.  No typing.

 

I think this is why we don't need to use emails. People are very familiar
with typing in a URL in the address bar. The experience of entering an URL
and then being on that page is also really familiar. This is of course what
happens when you type the OP into the OpenID prompt.

 

Sorry for not being the least bit supportive of the email as identifier idea
-- there are just so many things that are bad about it and the good reason
(an identifier they already know) is provided per above with the advantage
of giving an expected experience.

 

I agree with Brad that we need to write a FAQ on this.

 

-- Dick

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than entering
https://me.yahoo.com/userid.  If it happens to also be one's real e-mail
address, fine.  That would be a plus for me, but I don't see that as a
requirement.

 

Paul

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, this is the convention that we'll
follow.  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like [EMAIL PROTECTED] and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the [EMAIL PROTECTED] syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if
you had a generic way of moving from mailto:[EMAIL PROTECTED] to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.


Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt

Entering yahoo.com is even easier!

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:


Eran,

I’m not suggesting that the address must be a real e-mail address.   
I’m suggesting that the ID has that form.  It’s easier for users  
than enteringhttps://me.yahoo.com/userid.  If it happens to also be  
one’s real e-mail address, fine.  That would be a plus for me, but I  
don’t see that as a requirement.


Paul


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On  
Behalf Of Eran Hammer-Lahav

Sent: Wednesday, April 02, 2008 12:17 AM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html 
 - especially the list of other solutions proposed before me, as  
well as Brad’s proposal.


The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to  
support this DNS, and they *are* the email providers.


EHL

From: Paul E. Jones [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

Eran,

You’re entirely correct that this is not an OpenID issue, per se.   
In fact, not a single word of text would need to be changed in the  
current v2 specs, as far as I’m concerned.


But, I do think that it will take some of the core OpenID team  
members to put a stake in the ground and say, “this is the  
convention that we’ll follow.”  What needs to happen then is perhaps  
an extension written that explains how to convert an email address  
to a URL.  Using NAPTR records seems like the simplest way to do it  
to me, but I’m open to suggestions.


Perhaps it is important to say, though, that I do not think it  
requires the e-mail providers to get on board with this (in my view)  
simpler notation.  I could use an ID like [EMAIL PROTECTED] and  
that should work, if myopenid.com would publish the appropriate  
NAPTR record.  I could also insert NAPTR records into the  
packetizer.com DNS server that would allow me to use my email  
address, but point at my preferred OpenID provider.  In short, just  
because the [EMAIL PROTECTED] syntax is used does not mean that it  
necessarily an e-mail address: it could be, but more importantly, it  
just follows that familiar format documented in RFC 822.


Paul

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On  
Behalf Of Eran Hammer-Lahav

Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

The beauty of the current OpenID spec is that anyone can implement  
it and go live. However, with email identifiers you need email  
providers to support it. If Google, Yahoo, AOL, or Microsoft  
announced they are adding such a feature, I am sure the others are  
likely to follow. Get 2 of these 4 and you’ve got something going.  
But the biggest issue is not picking a standard but finding a  
company willing to put something out there.


As for the technical solutions, there are many from DNS to XRDS to a  
simple template agreed by all. Brad Fitzpatrick argued at FooCamp  
that this is not an OpenID issue, but a non-HTTP URI -- HTTP URI  
conversation. Basically if you had a generic way of moving  
frommailto:[EMAIL PROTECTED] to http://example.com/url/user (or any  
other URI with HTTP, the domain, and the user), any URI can be used  
for OpenID.


But at the end this is about someone of a major email provider  
saying they are interested and put out something people can use.  
After that I expect the snowball to roll. So, do you know anyone? J


EHL

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On  
Behalf Of Paul E. Jones

Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

Folks,

I’ve seen discussion here and there on the use of the e-mail address  
as the OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically  
usable by the average person, we cannot require the person to  
remember some very complex identifier.  When I signed up for Yahoo’s  
OpenID service, it presented me with a hideously ugly URL that  
looked similar to a base64-encoded string.  I could not begin to  
tell you what it was.  Fortunately, Yahoo allowed me to define my  
own, friendlier name.  Still, the ID is not one that the average  
user will remember or get right.


While the e-mail address does not have to be the one’s ID, it can  
certainly serve as an alias.  Suppose, for example, that the DNS  
records at Yahoo contained the following entry:


  yahoo.com. IN NAPTR 100 10 U OpenID2 ^(.+)@(.*)$!https://me.yahoo.com/ 
\1!i


This would allow a Relaying Party to accept an e-mail address and  
perform a simple transformation to get the “real” URL identifier.   
Of course, this does not mean that the existing URL or XRI  
identifiers are invalid, nor does it 

Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt


On 1-Apr-08, at 10:02 PM, Paul E. Jones wrote:


Dick,

On this point, I really have to disagree.  Even I rarely enter a URL  
into a web browser. Why bother when I know the web browser will  
figure it out for me.  I don’t want to type http:// or https:// :-)


I don't want to type the protocol either. I should have been more  
clear, the user types yahoo.com or aol.com into the prompt. Since this  
is NOT the identifier (which is a useful aspect of this method) -- the  
risks of NOT using https are much lower.


-- Dick___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread James Henstridge
On 02/04/2008, Paul E. Jones [EMAIL PROTECTED] wrote:
 Brad,

 Your point about DNS limitations is valid.  Then again, anybody who will be
 offering the open identity server is likely going to have control over their
 DNS.  Still, I'm not opposed to alternatives.

 But, since you brought up the fact that one can enter yahoo.com and get
 redirected, I checked and, indeed, several OpenID sites already accept the
 e-mail ID as a form of identification—and I can get redirected to either
 Yahoo or MyOpenID.com.  So, do some of the libraries already check for
 e-mail address forms?  It seems that perhaps they do!

What you are seeing is probably not what you expect:

 from openid.consumer.discover import discover
 claimed_id, services = discover('[EMAIL PROTECTED]')
 for service in services:
... print 'Local ID:', service.getLocalID()
... print 'Server URL:', service.server_url
...
Local ID: None
Server URL: https://open.login.yahooapis.com/openid/op/auth
 claimed_id
'http://www.yahoo.com/'

What is happening is that [EMAIL PROTECTED] is being treated as
http://[EMAIL PROTECTED]/.  As http://yahoo.com; results in an
identifier select endpoint that will work for any Yahoo user.

Note that the HTTP username isn't being used for anything here, and
you'll get the same result by just entering yahoo.com.  I wonder if
the Yahoo guys had considered this, or if it is just a happy accident?

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs