Re: Using email address as OpenID identifier
On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote: Dick, I’ll give you that one: that’s certainly easier. But, does not cause some confusion? After all, one’s identity is not yahoo.com, but that is the identity provider. Perhaps the prompts around the Internet ought to Say “OpenID Provider:” instead? :-) :-) ... that label would be more accurate. There is lots of work to be done to make OpenID simpler for users. I think that what will be easy for users is something provided by the browser that lets the user click to initiate a login or registration. No typing is better then any typing! Back when we started working on the protocols we could not expect this kind of functionality to be in the browsers. Now that awareness is higher, having it built into the browser is feasible. I of course am biased given the work we have done with Sxipper http://sxipper.com :) Presently, this variant works form some providers, but not most. I assume it’s due to the fact they’re not fully compliant with the spec yet? Or, is there some confusion as to how this ought to work? I don't think an OP is not OpenID 2.0 compliant if it does not take the OP as an identifier -- but I would have to reread to the spec to make sure. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
On 02/04/2008, Paul E. Jones <[EMAIL PROTECTED]> wrote: > > A solution that matches closer with what the user expects would be to > > map "[EMAIL PROTECTED]" to a claimed ID of "mailto:[EMAIL PROTECTED]". > > The average user is not going to know what "mailto:"; is. The mailto: transition would be something done internally by the RP. The RP could (and probably should) display email addresses without the "mailto:"; prefix to the user. This is similar to the way RPs store persistent XRIs as the user's claimed ID but are encouraged to display the reassignable XRI. > > For (2), I'd suggest a solution that maps the email address to either > > directly to an OpenID endpoint (using the claimed ID as local ID), or > > to an XRDS file. A DNS based solution seems fine here (either your > > NAPTR idea, or TXT records as suggested in replies to your post). > > > NAPTR queries and transformations are straight-forward. It's just a regular > expression transformation from something that looks like an e-mail address > to the real OpenID ID. > > But, again, I don't really care how it works. But, for the benefit of those > who are not so technically capable, I believe it's got to be super, super > trivial. NAPTR would work extremely well, I think, and would be fast. Any > OpenID OP could provide an e-mail style identifier and it would certainly be > a motivator for anybody providing e-mail service to also OpenID enable their > subscriber's e-mail addresses. I don't think there is a need to introduce an HTTP identity URL here. If you're going to use an email address as an identity, then use an email address as an identity. James. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Using email address as OpenID identifier
Dick, I'll give you that one: that's certainly easier. But, does not cause some confusion? After all, one's identity is not yahoo.com, but that is the identity provider. Perhaps the prompts around the Internet ought to Say "OpenID Provider:" instead? :-) Presently, this variant works form some providers, but not most. I assume it's due to the fact they're not fully compliant with the spec yet? Or, is there some confusion as to how this ought to work? Paul From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 1:09 AM To: Paul E. Jones Cc: 'Eran Hammer-Lahav'; specs@openid.net Subject: Re: Using email address as OpenID identifier Entering yahoo.com is even easier! On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote: Eran, I'm not suggesting that the address must be a real e-mail address. I'm suggesting that the ID has that form. It's easier for users than enteringhttps://me.yahoo.com/userid. If it happens to also be one's real e-mail address, fine. That would be a plus for me, but I don't see that as a requirement. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, April 02, 2008 12:17 AM To: specs@openid.net Subject: RE: Using email address as OpenID identifier Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially the list of other solutions proposed before me, as well as Brad's proposal. The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this DNS, and they *are* the email providers. EHL From: Paul E. Jones [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 11:42 PM To: Eran Hammer-Lahav; specs@openid.net Subject: RE: Using email address as OpenID identifier Eran, You're entirely correct that this is not an OpenID issue, per se. In fact, not a single word of text would need to be changed in the current v2 specs, as far as I'm concerned. But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, "this is the convention that we'll follow." What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL. Using NAPTR records seems like the simplest way to do it to me, but I'm open to suggestions. Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, April 01, 2008 10:43 PM To: specs@openid.net Subject: RE: Using email address as OpenID identifier The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there. As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving frommailto:[EMAIL PROTECTED] to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID. But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? J EHL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones Sent: Tuesday, April 01, 2008 10:31 PM To: specs@openid.net Subject: Using email address as OpenID identifier Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. F
Re: Using email address as OpenID identifier
On 02/04/2008, Paul E. Jones <[EMAIL PROTECTED]> wrote:
> Brad,
>
> Your point about DNS limitations is valid. Then again, anybody who will be
> offering the open identity server is likely going to have control over their
> DNS. Still, I'm not opposed to alternatives.
>
> But, since you brought up the fact that one can enter yahoo.com and get
> redirected, I checked and, indeed, several OpenID sites already accept the
> e-mail ID as a form of identification—and I can get redirected to either
> Yahoo or MyOpenID.com. So, do some of the libraries already check for
> e-mail address forms? It seems that perhaps they do!
What you are seeing is probably not what you expect:
>>> from openid.consumer.discover import discover
>>> claimed_id, services = discover('[EMAIL PROTECTED]')
>>> for service in services:
... print 'Local ID:', service.getLocalID()
... print 'Server URL:', service.server_url
...
Local ID: None
Server URL: https://open.login.yahooapis.com/openid/op/auth
>>> claimed_id
'http://www.yahoo.com/'
What is happening is that "[EMAIL PROTECTED]" is being treated as
"http://[EMAIL PROTECTED]/". As "http://yahoo.com"; results in an
identifier select endpoint that will work for any Yahoo user.
Note that the HTTP username isn't being used for anything here, and
you'll get the same result by just entering "yahoo.com". I wonder if
the Yahoo guys had considered this, or if it is just a happy accident?
James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
On 1-Apr-08, at 10:02 PM, Paul E. Jones wrote: Dick, On this point, I really have to disagree. Even I rarely enter a URL into a web browser. Why bother when I know the web browser will figure it out for me. I don’t want to type http:// or https:// :-) I don't want to type the protocol either. I should have been more clear, the user types yahoo.com or aol.com into the prompt. Since this is NOT the identifier (which is a useful aspect of this method) -- the risks of NOT using https are much lower. -- Dick___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Using email address as OpenID identifier
James, >>yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; . > > > 1. when a user enters an email address into an RP, how is the claimed > ID derived from that input? Using the NAPTR record as shown above, if I user [EMAIL PROTECTED], the RP could perform a translation to https://me.yahoo.com/paulej > 2. given such an input, how does the RP go about discovering the > OpenID endpoint URL and local ID for that identity? > > With answers to these two questions, the remainder of the protocol > should function as is. At this point, the RP would have the "real" OpenID ID for the user. Everything else would proceed as normal. > I'm guessing (correct me if I'm wrong) that you're suggesting that > this DNS lookup be done as part of (1). This seems like it would > cause confusion if the user's ISP changed their DNS, since the user > would see their email address as being the real identifier: not the > URL that it maps to. Yes, that could be an issue. However, I would expect users would use an identifier from a OP that *looks like* an e-mail address. They would not necessarily use their real address. For example, I don't use Yahoo mail, but I would enter [EMAIL PROTECTED] as my OpenID ID. > A solution that matches closer with what the user expects would be to > map "[EMAIL PROTECTED]" to a claimed ID of "mailto:[EMAIL PROTECTED]". The average user is not going to know what "mailto:"; is. > For (2), I'd suggest a solution that maps the email address to either > directly to an OpenID endpoint (using the claimed ID as local ID), or > to an XRDS file. A DNS based solution seems fine here (either your > NAPTR idea, or TXT records as suggested in replies to your post). NAPTR queries and transformations are straight-forward. It's just a regular expression transformation from something that looks like an e-mail address to the real OpenID ID. But, again, I don't really care how it works. But, for the benefit of those who are not so technically capable, I believe it's got to be super, super trivial. NAPTR would work extremely well, I think, and would be fast. Any OpenID OP could provide an e-mail style identifier and it would certainly be a motivator for anybody providing e-mail service to also OpenID enable their subscriber's e-mail addresses. Paul ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
Entering yahoo.com is even easier! On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote: Eran, I’m not suggesting that the address must be a real e-mail address. I’m suggesting that the ID has that form. It’s easier for users than enteringhttps://me.yahoo.com/userid. If it happens to also be one’s real e-mail address, fine. That would be a plus for me, but I don’t see that as a requirement. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, April 02, 2008 12:17 AM To: specs@openid.net Subject: RE: Using email address as OpenID identifier Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially the list of other solutions proposed before me, as well as Brad’s proposal. The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this DNS, and they *are* the email providers. EHL From: Paul E. Jones [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 11:42 PM To: Eran Hammer-Lahav; specs@openid.net Subject: RE: Using email address as OpenID identifier Eran, You’re entirely correct that this is not an OpenID issue, per se. In fact, not a single word of text would need to be changed in the current v2 specs, as far as I’m concerned. But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, “this is the convention that we’ll follow.” What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL. Using NAPTR records seems like the simplest way to do it to me, but I’m open to suggestions. Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, April 01, 2008 10:43 PM To: specs@openid.net Subject: RE: Using email address as OpenID identifier The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you’ve got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there. As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving frommailto:[EMAIL PROTECTED] to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID. But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? J EHL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones Sent: Tuesday, April 01, 2008 10:31 PM To: specs@openid.net Subject: Using email address as OpenID identifier Folks, I’ve seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo’s OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one’s ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/ \1!i" This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the “real” URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor doe
RE: Using email address as OpenID identifier
Eran, I'm not suggesting that the address must be a real e-mail address. I'm suggesting that the ID has that form. It's easier for users than entering https://me.yahoo.com/userid. If it happens to also be one's real e-mail address, fine. That would be a plus for me, but I don't see that as a requirement. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, April 02, 2008 12:17 AM To: specs@openid.net Subject: RE: Using email address as OpenID identifier Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially the list of other solutions proposed before me, as well as Brad's proposal. The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this DNS, and they *are* the email providers. EHL From: Paul E. Jones [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 11:42 PM To: Eran Hammer-Lahav; specs@openid.net Subject: RE: Using email address as OpenID identifier Eran, You're entirely correct that this is not an OpenID issue, per se. In fact, not a single word of text would need to be changed in the current v2 specs, as far as I'm concerned. But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, "this is the convention that we'll follow." What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL. Using NAPTR records seems like the simplest way to do it to me, but I'm open to suggestions. Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, April 01, 2008 10:43 PM To: specs@openid.net Subject: RE: Using email address as OpenID identifier The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there. As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:[EMAIL PROTECTED] to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID. But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? J EHL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones Sent: Tuesday, April 01, 2008 10:31 PM To: specs@openid.net Subject: Using email address as OpenID identifier Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people t
RE: Using email address as OpenID identifier
Dick, On this point, I really have to disagree. Even I rarely enter a URL into a web browser. Why bother when I know the web browser will figure it out for me. I don't want to type http:// or https:// :-) More importantly, you and I are different than the average users. I've watched people struggle with getting addresses properly entered. I've watched people put "www" in front of every name entered into a web browser, even when the site might be something else. I've watched users enter \\ rather than //. I've even no slash at all. So, what I think is important is that users have something simple and consistent. As I noted to my message to Brad just a moment ago, it appears that some sites will accept the e-mail address form and then figure out where to direct the user. I was pleasantly surprised. Given that at least some of the sites out there now do operate this way, I suspect it might just be a matter of time before all of them do. But, I think it's important that the user experience is consistent, as you say. If email IDs are going to be supported by some, through ought to be supported by all - even if they do nothing but figure out which OP to direct the browser to. Paul From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 11:45 PM To: Brad Fitzpatrick Cc: Paul E. Jones; specs@openid.net Subject: Re: Using email address as OpenID identifier On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote: -- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button. No typing. I think this is why we don't need to use emails. People are very familiar with typing in a URL in the address bar. The experience of entering an URL and then being on that page is also really familiar. This is of course what happens when you type the OP into the OpenID prompt. Sorry for not being the least bit supportive of the email as identifier idea -- there are just so many things that are bad about it and the good reason (an identifier they already know) is provided per above with the advantage of giving an expected experience. I agree with Brad that we need to write a FAQ on this. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Using email address as OpenID identifier
Brad, Your point about DNS limitations is valid. Then again, anybody who will be offering the open identity server is likely going to have control over their DNS. Still, I’m not opposed to alternatives. But, since you brought up the fact that one can enter yahoo.com and get redirected, I checked and, indeed, several OpenID sites already accept the e-mail ID as a form of identification—and I can get redirected to either Yahoo or MyOpenID.com. So, do some of the libraries already check for e-mail address forms? It seems that perhaps they do! Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Fitzpatrick Sent: Tuesday, April 01, 2008 10:38 PM To: Paul E. Jones Cc: specs@openid.net Subject: Re: Using email address as OpenID identifier This has been discussed to death and really should be a FAQ by now, but it's not written up, so I'll add a few points: -- we should discuss this as a generic email to URL mapping problem, and ignore what is done with that URL then. yes, it could be used as an OpenID -- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button. No typing. -- For email-to-URL, NAPTR by itself is a non-starter. Technically it may be the correct way, but average people don't control their DNS. Hell, networksolutions doesn't even let you add SRV or TXT records. -- A good solution to email-to-URL mapping will likely involve an XRDS-Simple-style two-pronged discovery lookup path. Whereas XRDS-Simple says "try Accept header, then parse the tag", a good email-to-URL lookup "protocol" (best practice?) might be to try NAPTR first, then fall back to this: http://brad.livejournal.com/2357444.html - Brad 2008/4/1 Paul E. Jones <[EMAIL PROTECTED]>: Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people to deal use. If something like this has been discussed and rejected, what was the reason? Thanks, Paul ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
On 02/04/2008, Paul E. Jones <[EMAIL PROTECTED]> wrote: > Folks, > > I've seen discussion here and there on the use of the e-mail address as the > OpenID identifier. Perhaps this one says it best: > > http://www.majordojo.com/2007/02/what-openid-needs.php > > I share many of same opinions. If OpenID is going to be practically usable > by the average person, we cannot require the person to remember some very > complex identifier. When I signed up for Yahoo's OpenID service, it > presented me with a hideously ugly URL that looked similar to a > base64-encoded string. I could not begin to tell you what it was. > Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the > ID is not one that the average user will remember or get right. > > While the e-mail address does not have to be the one's ID, it can certainly > serve as an alias. Suppose, for example, that the DNS records at Yahoo > contained the following entry: > > yahoo.com. IN NAPTR 100 10 "U" "OpenID2" > "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; > > This would allow a Relaying Party to accept an e-mail address and perform a > simple transformation to get the "real" URL identifier. Of course, this > does not mean that the existing URL or XRI identifiers are invalid, nor does > it mean that the "email address" has to be a real e-mail address. But, this > form would certainly be far simpler for most people to deal use. If your aim is to let people use an email address as an identifier, there are a few questions to answer: 1. when a user enters an email address into an RP, how is the claimed ID derived from that input? 2. given such an input, how does the RP go about discovering the OpenID endpoint URL and local ID for that identity? With answers to these two questions, the remainder of the protocol should function as is. I'm guessing (correct me if I'm wrong) that you're suggesting that this DNS lookup be done as part of (1). This seems like it would cause confusion if the user's ISP changed their DNS, since the user would see their email address as being the real identifier: not the URL that it maps to. A solution that matches closer with what the user expects would be to map "[EMAIL PROTECTED]" to a claimed ID of "mailto:[EMAIL PROTECTED]". For (2), I'd suggest a solution that maps the email address to either directly to an OpenID endpoint (using the claimed ID as local ID), or to an XRDS file. A DNS based solution seems fine here (either your NAPTR idea, or TXT records as suggested in replies to your post). James. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Using email address as OpenID identifier
Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially the list of other solutions proposed before me, as well as Brad's proposal. The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this DNS, and they *are* the email providers. EHL From: Paul E. Jones [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 11:42 PM To: Eran Hammer-Lahav; specs@openid.net Subject: RE: Using email address as OpenID identifier Eran, You're entirely correct that this is not an OpenID issue, per se. In fact, not a single word of text would need to be changed in the current v2 specs, as far as I'm concerned. But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, "this is the convention that we'll follow." What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL. Using NAPTR records seems like the simplest way to do it to me, but I'm open to suggestions. Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, April 01, 2008 10:43 PM To: specs@openid.net Subject: RE: Using email address as OpenID identifier The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there. As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:[EMAIL PROTECTED] to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID. But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? :) EHL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones Sent: Tuesday, April 01, 2008 10:31 PM To: specs@openid.net Subject: Using email address as OpenID identifier Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people to deal use. If something like this has been discussed and rejected, what was the reason? Thanks, Paul ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote: -- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button. No typing. I think this is why we don't need to use emails. People are very familiar with typing in a URL in the address bar. The experience of entering an URL and then being on that page is also really familiar. This is of course what happens when you type the OP into the OpenID prompt. Sorry for not being the least bit supportive of the email as identifier idea -- there are just so many things that are bad about it and the good reason (an identifier they already know) is provided per above with the advantage of giving an expected experience. I agree with Brad that we need to write a FAQ on this. -- Dick___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Using email address as OpenID identifier
Eran, You're entirely correct that this is not an OpenID issue, per se. In fact, not a single word of text would need to be changed in the current v2 specs, as far as I'm concerned. But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, "this is the convention that we'll follow." What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL. Using NAPTR records seems like the simplest way to do it to me, but I'm open to suggestions. Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, April 01, 2008 10:43 PM To: specs@openid.net Subject: RE: Using email address as OpenID identifier The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there. As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:[EMAIL PROTECTED] to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID. But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? J EHL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones Sent: Tuesday, April 01, 2008 10:31 PM To: specs@openid.net Subject: Using email address as OpenID identifier Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people to deal use. If something like this has been discussed and rejected, what was the reason? Thanks, Paul ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Using email address as OpenID identifier
The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there. As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:[EMAIL PROTECTED] to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID. But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? :) EHL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones Sent: Tuesday, April 01, 2008 10:31 PM To: specs@openid.net Subject: Using email address as OpenID identifier Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people to deal use. If something like this has been discussed and rejected, what was the reason? Thanks, Paul ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
This has been discussed to death and really should be a FAQ by now, but it's not written up, so I'll add a few points: -- we should discuss this as a generic email to URL mapping problem, and ignore what is done with that URL then. yes, it could be used as an OpenID -- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button. No typing. -- For email-to-URL, NAPTR by itself is a non-starter. Technically it may be the correct way, but average people don't control their DNS. Hell, networksolutions doesn't even let you add SRV or TXT records. -- A good solution to email-to-URL mapping will likely involve an XRDS-Simple-style two-pronged discovery lookup path. Whereas XRDS-Simple says "try Accept header, then parse the tag", a good email-to-URL lookup "protocol" (best practice?) might be to try NAPTR first, then fall back to this: http://brad.livejournal.com/2357444.html - Brad 2008/4/1 Paul E. Jones <[EMAIL PROTECTED]>: > Folks, > > > > I've seen discussion here and there on the use of the e-mail address as > the OpenID identifier. Perhaps this one says it best: > > http://www.majordojo.com/2007/02/what-openid-needs.php > > > > I share many of same opinions. If OpenID is going to be practically > usable by the average person, we cannot require the person to remember some > very complex identifier. When I signed up for Yahoo's OpenID service, it > presented me with a hideously ugly URL that looked similar to a > base64-encoded string. I could not begin to tell you what it was. > Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the > ID is not one that the average user will remember or get right. > > > > While the e-mail address does not have to be the one's ID, it can > certainly serve as an alias. Suppose, for example, that the DNS records at > Yahoo contained the following entry: > > > > yahoo.com. IN NAPTR 100 10 "U" "OpenID2" > "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; > > > > This would allow a Relaying Party to accept an e-mail address and perform > a simple transformation to get the "real" URL identifier. Of course, this > does not mean that the existing URL or XRI identifiers are invalid, nor does > it mean that the "email address" has to be a real e-mail address. But, this > form would certainly be far simpler for most people to deal use. > > > > If something like this has been discussed and rejected, what was the > reason? > > > > Thanks, > > Paul > > > > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Using email address as OpenID identifier
Folks, I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best: http://www.majordojo.com/2007/02/what-openid-needs.php I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right. While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry: yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"; This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people to deal use. If something like this has been discussed and rejected, what was the reason? Thanks, Paul ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
