Re: Using email address as OpenID identifier
this discussion, of course, has happened before: http://openid.net/pipermail/specs/2008-January/002104.html And paul is correct, IMHO... NAPTR is a better and more flexible way to address this. The original proposal had regex expressions in TXT RRs. which, while not improper, does not have a resolver code base to draw from, and some well-laid groundwork for regex processing libraries for resolvers to use. on the other hand, i've never want to use my email address as my openID, and you'd have to write a new profile which allowed the OP/RP to understand i can prove ownership of the identifier. =peterd On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote: James, I don't think we need SRV records to do this. NAPTR would suffice, as that would allow one to transform one string into another. But, it seems that there is an overwhelming preference for using some kind of string of undetermined structure to identify a user which is not of an e-mail format. (I know there is an intent to use a URI, but most users have no idea what a URI is and few really type them properly.) So, while I still think the form [EMAIL PROTECTED] is better for the user world-wide community, I understand the counter-arguments. And, perhaps I'll be proven wrong-- which is OK. Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F (HTSC, IT) Sent: Monday, April 07, 2008 3:21 PM To: specs@openid.net Subject: Using email address as OpenID identifier This would require defining an OpenID SRV record in DNS. Would make sense for someone to get this formally defined as part of IETF. Could kinda be done in the same way that Boeing is moving forward definition of XRI in LDAP.. -Original Message- Message: 1 Date: Mon, 07 Apr 2008 18:56:57 +0100 From: Martin Atkins [EMAIL PROTECTED] Subject: Re: Using email address as OpenID identifier To: specs@openid.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Paul E. Jones wrote: Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Funnily enough, I've always percieved the fact that syntactically- valid but non-existant email addresses are being used as identifiers as a problem rather than a benefit: * It creates confusion for users when something looks like an email address but it doesn't behave as one. I've seen this sort of confusion with Jabber servers, where users get confused that their Jabber ID and email address are not the same, especially when Jabber clients say For example, [EMAIL PROTECTED] under the Jabber ID field. * If not all email-shaped OpenID identifiers are actually working mailboxes, it's likely to lead to a distressing user experience where the user is first asked to enter their OpenID identifier -- that is, their email address -- and then they're asked to enter and verify their email address. At this point, I expect users to at best say Stupid computer! Remember what I've told you! and at worst get confused and think that the OpenID identifier they entered was not correct. * As has often been raised in both the OpenID-with-email and in the Jabber circles, many people are reluctant to give up their email addresses to the public eye for fear of spam. Note that Yahoo.com will, by default, use a big opaque string as an identifier rather than the user's Yahoo! account name for this very reason. * ** ** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ** ** ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Using email address as OpenID identifier
I really wish everyone would stop calling these identifiers email addresses. They're no more email addresses than xmpp: uris. You aren't going to change the email standards. You will not forcibly require email servers to recognize xrds discovery. All you're going to get is an identifier that looks something like an email. You may as well say that you're using jabber addresses as openids. I'm going to stop saying you're actually speaking of XRDS document discovery, since that seems to be over everyones head. I'm going to stop saying the openid list isn't the place for this, since we defer endpoint discovery to XRI discover 2.0, though we may switch to XRDS-Simple. But seriously, get off this list. But for goodness sakes, could you stop calling them email addresses? They're just email-looking urls, nothing more.Unless you guys are so crazy as to have a line like XRDS discovery MUST verify that the identifier accepts email, you're just not talking about email. Respectfully and with far to much sarcasm, http:// Joseph Holsten .com On Fri, Apr 11, 2008 at 7:38 AM, Peter Davis [EMAIL PROTECTED] wrote: this discussion, of course, has happened before: http://openid.net/pipermail/specs/2008-January/002104.html And paul is correct, IMHO... NAPTR is a better and more flexible way to address this. The original proposal had regex expressions in TXT RRs. which, while not improper, does not have a resolver code base to draw from, and some well-laid groundwork for regex processing libraries for resolvers to use. on the other hand, i've never want to use my email address as my openID, and you'd have to write a new profile which allowed the OP/RP to understand i can prove ownership of the identifier. =peterd On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote: James, I don't think we need SRV records to do this. NAPTR would suffice, as that would allow one to transform one string into another. But, it seems that there is an overwhelming preference for using some kind of string of undetermined structure to identify a user which is not of an e-mail format. (I know there is an intent to use a URI, but most users have no idea what a URI is and few really type them properly.) So, while I still think the form [EMAIL PROTECTED] is better for the user world-wide community, I understand the counter-arguments. And, perhaps I'll be proven wrong-- which is OK. Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F (HTSC, IT) Sent: Monday, April 07, 2008 3:21 PM To: specs@openid.net Subject: Using email address as OpenID identifier This would require defining an OpenID SRV record in DNS. Would make sense for someone to get this formally defined as part of IETF. Could kinda be done in the same way that Boeing is moving forward definition of XRI in LDAP.. -Original Message- Message: 1 Date: Mon, 07 Apr 2008 18:56:57 +0100 From: Martin Atkins [EMAIL PROTECTED] Subject: Re: Using email address as OpenID identifier To: specs@openid.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Paul E. Jones wrote: Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR record. I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider. In short, just because the [EMAIL PROTECTED] syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822. Funnily enough, I've always percieved the fact that syntactically- valid but non-existant email addresses are being used as identifiers as a problem rather than a benefit: * It creates confusion for users when something looks like an email address but it doesn't behave as one. I've seen this sort of confusion with Jabber servers, where users get confused that their Jabber ID and email address are not the same, especially when Jabber clients say For example, [EMAIL PROTECTED] under the Jabber ID field. * If not all email-shaped OpenID identifiers are actually working mailboxes, it's likely to lead to a distressing user experience where the user is first asked to enter their OpenID identifier -- that is, their email address -- and then they're asked to enter and verify their email address. At this point, I expect users to at best say Stupid computer! Remember what I've told you! and at worst get confused and think that the OpenID identifier they entered was not correct. * As has often been raised in both
