Re: Using email address as OpenID identifier

2008-04-11 Thread Peter Davis
this discussion, of course, has happened before:

http://openid.net/pipermail/specs/2008-January/002104.html

And paul is correct, IMHO... NAPTR is a better and more flexible way  
to address this.  The original proposal had regex expressions in TXT  
RRs.  which, while not improper, does not have a resolver code base  
to draw from, and some well-laid groundwork for regex processing  
libraries for resolvers to use.

on the other hand, i've never want to use my email address as my  
openID, and you'd have to write a new profile which allowed the OP/RP  
to understand i can prove ownership of the identifier.

=peterd

On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
 James,

 I don't think we need SRV records to do this.  NAPTR would suffice,  
 as that
 would allow one to transform one string into another.

 But, it seems that there is an overwhelming preference for using  
 some kind
 of string of undetermined structure to identify a user which is not  
 of an
 e-mail format.  (I know there is an intent to use a URI, but most  
 users have
 no idea what a URI is and few really type them properly.)

 So, while I still think the form [EMAIL PROTECTED] is better for the user
 world-wide community, I understand the counter-arguments.  And,  
 perhaps I'll
 be proven wrong-- which is OK.

 Paul

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of McGovern, James F (HTSC, IT)
 Sent: Monday, April 07, 2008 3:21 PM
 To: specs@openid.net
 Subject: Using email address as OpenID identifier

 This would require defining an OpenID SRV record in DNS. Would make
 sense for someone to get this formally defined as part of IETF. Could
 kinda be done in the same way that Boeing is moving forward  
 definition
 of XRI in LDAP..

 -Original Message-

 Message: 1
 Date: Mon, 07 Apr 2008 18:56:57 +0100
 From: Martin Atkins [EMAIL PROTECTED]
 Subject: Re: Using email address as OpenID identifier
 To: specs@openid.net
 Message-ID: [EMAIL PROTECTED]
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed

 Paul E. Jones wrote:

 Perhaps it is important to say, though, that I do not think it
 requires the e-mail providers to get on board with this (in my view)
 simpler notation.  I could use an ID like [EMAIL PROTECTED] and
 that

 should work, if myopenid.com would publish the appropriate NAPTR
 record.  I could also insert NAPTR records into the packetizer.com
 DNS

 server that would allow me to use my email address, but point at my
 preferred OpenID provider.  In short, just because the [EMAIL PROTECTED]
 syntax is used does not mean that it necessarily an e-mail address:
 it

 could be, but more importantly, it just follows that familiar format
 documented in RFC 822.


 Funnily enough, I've always percieved the fact that syntactically- 
 valid
 but non-existant email addresses are being used as identifiers as a
 problem rather than a benefit:

   * It creates confusion for users when something looks like an email
 address but it doesn't behave as one. I've seen this sort of  
 confusion
 with Jabber servers, where users get confused that their Jabber ID  
 and
 email address are not the same, especially when Jabber clients say  
 For
 example, [EMAIL PROTECTED] under the Jabber ID field.

   * If not all email-shaped OpenID identifiers are actually working
 mailboxes, it's likely to lead to a distressing user experience where
 the user is first asked to enter their OpenID identifier -- that is,
 their email address -- and then they're asked to enter and verify  
 their
 email address. At this point, I expect users to at best say Stupid
 computer! Remember what I've told you! and at worst get confused and
 think that the OpenID identifier they entered was not correct.

   * As has often been raised in both the OpenID-with-email and in the
 Jabber circles, many people are reluctant to give up their email
 addresses to the public eye for fear of spam. Note that Yahoo.com  
 will,
 by default, use a big opaque string as an identifier rather than the
 user's Yahoo! account name for this very reason.




 * 
 **
 **
 This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information.  If you are not the
 intended
 recipient, any use, copying, disclosure, dissemination or  
 distribution
 is
 strictly prohibited.  If you are not the intended recipient, please
 notify
 the sender immediately by return e-mail, delete this communication  
 and
 destroy all copies.
 * 
 **
 **

 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs



 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs

Re: Using email address as OpenID identifier

2008-04-11 Thread Joseph Holsten
I really wish everyone would stop calling these identifiers email
addresses. They're no more email addresses than xmpp: uris.

You aren't going to change the email standards. You will not forcibly
require email servers to recognize xrds discovery. All you're going to
get is an identifier that looks something like an email.

You may as well say that you're using jabber addresses as openids. I'm
going to stop saying you're actually speaking of XRDS document
discovery, since that seems to be over everyones head. I'm going to
stop saying the openid list isn't the place for this, since we defer
endpoint discovery to XRI discover 2.0, though we may switch to
XRDS-Simple. But seriously, get off this list.

But for goodness sakes, could you stop calling them email addresses?
They're just email-looking urls, nothing more.Unless you guys are so
crazy as to have a line like XRDS discovery MUST verify that the
identifier accepts email, you're just not talking about email.

Respectfully and with far to much sarcasm,
http:// Joseph Holsten .com

On Fri, Apr 11, 2008 at 7:38 AM, Peter Davis [EMAIL PROTECTED] wrote:
 this discussion, of course, has happened before:

 http://openid.net/pipermail/specs/2008-January/002104.html

 And paul is correct, IMHO... NAPTR is a better and more flexible way
 to address this.  The original proposal had regex expressions in TXT
 RRs.  which, while not improper, does not have a resolver code base
 to draw from, and some well-laid groundwork for regex processing
 libraries for resolvers to use.

 on the other hand, i've never want to use my email address as my
 openID, and you'd have to write a new profile which allowed the OP/RP
 to understand i can prove ownership of the identifier.

 =peterd


 On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
  James,
 
  I don't think we need SRV records to do this.  NAPTR would suffice,
  as that
  would allow one to transform one string into another.
 
  But, it seems that there is an overwhelming preference for using
  some kind
  of string of undetermined structure to identify a user which is not
  of an
  e-mail format.  (I know there is an intent to use a URI, but most
  users have
  no idea what a URI is and few really type them properly.)
 
  So, while I still think the form [EMAIL PROTECTED] is better for the user
  world-wide community, I understand the counter-arguments.  And,
  perhaps I'll
  be proven wrong-- which is OK.
 
  Paul
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
  Behalf Of McGovern, James F (HTSC, IT)
  Sent: Monday, April 07, 2008 3:21 PM
  To: specs@openid.net
  Subject: Using email address as OpenID identifier
 
  This would require defining an OpenID SRV record in DNS. Would make
  sense for someone to get this formally defined as part of IETF. Could
  kinda be done in the same way that Boeing is moving forward
  definition
  of XRI in LDAP..
 
  -Original Message-
 
  Message: 1
  Date: Mon, 07 Apr 2008 18:56:57 +0100
  From: Martin Atkins [EMAIL PROTECTED]
  Subject: Re: Using email address as OpenID identifier
  To: specs@openid.net
  Message-ID: [EMAIL PROTECTED]
  Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 
  Paul E. Jones wrote:
 
  Perhaps it is important to say, though, that I do not think it
  requires the e-mail providers to get on board with this (in my view)
  simpler notation.  I could use an ID like [EMAIL PROTECTED] and
  that
 
  should work, if myopenid.com would publish the appropriate NAPTR
  record.  I could also insert NAPTR records into the packetizer.com
  DNS
 
  server that would allow me to use my email address, but point at my
  preferred OpenID provider.  In short, just because the [EMAIL PROTECTED]
  syntax is used does not mean that it necessarily an e-mail address:
  it
 
  could be, but more importantly, it just follows that familiar format
  documented in RFC 822.
 
 
  Funnily enough, I've always percieved the fact that syntactically-
  valid
  but non-existant email addresses are being used as identifiers as a
  problem rather than a benefit:
 
* It creates confusion for users when something looks like an email
  address but it doesn't behave as one. I've seen this sort of
  confusion
  with Jabber servers, where users get confused that their Jabber ID
  and
  email address are not the same, especially when Jabber clients say
  For
  example, [EMAIL PROTECTED] under the Jabber ID field.
 
* If not all email-shaped OpenID identifiers are actually working
  mailboxes, it's likely to lead to a distressing user experience where
  the user is first asked to enter their OpenID identifier -- that is,
  their email address -- and then they're asked to enter and verify
  their
  email address. At this point, I expect users to at best say Stupid
  computer! Remember what I've told you! and at worst get confused and
  think that the OpenID identifier they entered was not correct.
 
* As has often been raised in both

RE: Using email address as OpenID identifier

2008-04-09 Thread Paul E. Jones
James,

I don't think we need SRV records to do this.  NAPTR would suffice, as that
would allow one to transform one string into another.

But, it seems that there is an overwhelming preference for using some kind
of string of undetermined structure to identify a user which is not of an
e-mail format.  (I know there is an intent to use a URI, but most users have
no idea what a URI is and few really type them properly.)

So, while I still think the form [EMAIL PROTECTED] is better for the user
world-wide community, I understand the counter-arguments.  And, perhaps I'll
be proven wrong-- which is OK.

Paul

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of McGovern, James F (HTSC, IT)
 Sent: Monday, April 07, 2008 3:21 PM
 To: specs@openid.net
 Subject: Using email address as OpenID identifier
 
 This would require defining an OpenID SRV record in DNS. Would make
 sense for someone to get this formally defined as part of IETF. Could
 kinda be done in the same way that Boeing is moving forward definition
 of XRI in LDAP..
 
 -Original Message-
 
 Message: 1
 Date: Mon, 07 Apr 2008 18:56:57 +0100
 From: Martin Atkins [EMAIL PROTECTED]
 Subject: Re: Using email address as OpenID identifier
 To: specs@openid.net
 Message-ID: [EMAIL PROTECTED]
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 
 Paul E. Jones wrote:
 
  Perhaps it is important to say, though, that I do not think it
  requires the e-mail providers to get on board with this (in my view)
  simpler notation.  I could use an ID like [EMAIL PROTECTED] and
 that
 
  should work, if myopenid.com would publish the appropriate NAPTR
  record.  I could also insert NAPTR records into the packetizer.com
 DNS
 
  server that would allow me to use my email address, but point at my
  preferred OpenID provider.  In short, just because the [EMAIL PROTECTED]
  syntax is used does not mean that it necessarily an e-mail address:
 it
 
  could be, but more importantly, it just follows that familiar format
 documented in RFC 822.
 
 
 Funnily enough, I've always percieved the fact that syntactically-valid
 but non-existant email addresses are being used as identifiers as a
 problem rather than a benefit:
 
   * It creates confusion for users when something looks like an email
 address but it doesn't behave as one. I've seen this sort of confusion
 with Jabber servers, where users get confused that their Jabber ID and
 email address are not the same, especially when Jabber clients say For
 example, [EMAIL PROTECTED] under the Jabber ID field.
 
   * If not all email-shaped OpenID identifiers are actually working
 mailboxes, it's likely to lead to a distressing user experience where
 the user is first asked to enter their OpenID identifier -- that is,
 their email address -- and then they're asked to enter and verify their
 email address. At this point, I expect users to at best say Stupid
 computer! Remember what I've told you! and at worst get confused and
 think that the OpenID identifier they entered was not correct.
 
   * As has often been raised in both the OpenID-with-email and in the
 Jabber circles, many people are reluctant to give up their email
 addresses to the public eye for fear of spam. Note that Yahoo.com will,
 by default, use a big opaque string as an identifier rather than the
 user's Yahoo! account name for this very reason.
 
 
 
 
 ***
 **
 This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information.  If you are not the
 intended
 recipient, any use, copying, disclosure, dissemination or distribution
 is
 strictly prohibited.  If you are not the intended recipient, please
 notify
 the sender immediately by return e-mail, delete this communication and
 destroy all copies.
 ***
 **
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-07 Thread Martin Atkins
Paul E. Jones wrote:
 
 Perhaps it is important to say, though, that I do not think it requires 
 the e-mail providers to get on board with this (in my view) simpler 
 notation.  I could use an ID like [EMAIL PROTECTED] and that should 
 work, if myopenid.com would publish the appropriate NAPTR record.  I 
 could also insert NAPTR records into the packetizer.com DNS server that 
 would allow me to use my email address, but point at my preferred OpenID 
 provider.  In short, just because the [EMAIL PROTECTED] syntax is used does 
 not mean that it necessarily an e-mail address: it could be, but more 
 importantly, it just follows that familiar format documented in RFC 822.
 

Funnily enough, I've always percieved the fact that syntactically-valid 
but non-existant email addresses are being used as identifiers as a 
problem rather than a benefit:

  * It creates confusion for users when something looks like an email 
address but it doesn't behave as one. I've seen this sort of confusion 
with Jabber servers, where users get confused that their Jabber ID and 
email address are not the same, especially when Jabber clients say For 
example, [EMAIL PROTECTED] under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working 
mailboxes, it's likely to lead to a distressing user experience where 
the user is first asked to enter their OpenID identifier -- that is, 
their email address -- and then they're asked to enter and verify their 
email address. At this point, I expect users to at best say Stupid 
computer! Remember what I've told you! and at worst get confused and 
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the 
Jabber circles, many people are reluctant to give up their email 
addresses to the public eye for fear of spam. Note that Yahoo.com will, 
by default, use a big opaque string as an identifier rather than the 
user's Yahoo! account name for this very reason.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-07 Thread Martin Atkins
Paul E. Jones wrote:
  
 
 I’ll give you that one: that’s certainly easier.  But, does not cause 
 some confusion?  After all, one’s identity is not yahoo.com, but that is 
 the identity provider.  Perhaps the prompts around the Internet ought to 
 Say “OpenID Provider:” instead? :-)
 

I propose that the caption be Whatever your OpenID provider told you to 
enter: .

(I joke, of course. Mostly.)

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Using email address as OpenID identifier

2008-04-07 Thread McGovern, James F (HTSC, IT)
This would require defining an OpenID SRV record in DNS. Would make
sense for someone to get this formally defined as part of IETF. Could
kinda be done in the same way that Boeing is moving forward definition
of XRI in LDAP.. 

-Original Message-

Message: 1
Date: Mon, 07 Apr 2008 18:56:57 +0100
From: Martin Atkins [EMAIL PROTECTED]
Subject: Re: Using email address as OpenID identifier
To: specs@openid.net
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul E. Jones wrote:
 
 Perhaps it is important to say, though, that I do not think it 
 requires the e-mail providers to get on board with this (in my view) 
 simpler notation.  I could use an ID like [EMAIL PROTECTED] and that

 should work, if myopenid.com would publish the appropriate NAPTR 
 record.  I could also insert NAPTR records into the packetizer.com DNS

 server that would allow me to use my email address, but point at my 
 preferred OpenID provider.  In short, just because the [EMAIL PROTECTED] 
 syntax is used does not mean that it necessarily an e-mail address: it

 could be, but more importantly, it just follows that familiar format
documented in RFC 822.
 

Funnily enough, I've always percieved the fact that syntactically-valid
but non-existant email addresses are being used as identifiers as a
problem rather than a benefit:

  * It creates confusion for users when something looks like an email
address but it doesn't behave as one. I've seen this sort of confusion
with Jabber servers, where users get confused that their Jabber ID and
email address are not the same, especially when Jabber clients say For
example, [EMAIL PROTECTED] under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working
mailboxes, it's likely to lead to a distressing user experience where
the user is first asked to enter their OpenID identifier -- that is,
their email address -- and then they're asked to enter and verify their
email address. At this point, I expect users to at best say Stupid
computer! Remember what I've told you! and at worst get confused and
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the
Jabber circles, many people are reluctant to give up their email
addresses to the public eye for fear of spam. Note that Yahoo.com will,
by default, use a big opaque string as an identifier rather than the
user's Yahoo! account name for this very reason.




*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-07 Thread Holger Baxmann
What about having an ENUM e164.org record holding not only the IP of  
an SIP-Broker, but the OpenID ID. Whatever format and syntax it might  
have.

The appropriate IETF RFC 2916  E.164 number and DNS could provide  
not only mangling with eMail addresses but also with telephone  
numbers: this will provide much more fun !

But seriously: mixing the POTS numbering system with the now good old  
internet identification could be a in place solution, IMHO.

2ct
.bax

Am 07.04.2008 um 21:21 schrieb McGovern, James F (HTSC, IT):
 This would require defining an OpenID SRV record in DNS. Would make
 sense for someone to get this formally defined as part of IETF. Could
 kinda be done in the same way that Boeing is moving forward definition
 of XRI in LDAP..

 -Original Message-

 Message: 1
 Date: Mon, 07 Apr 2008 18:56:57 +0100
 From: Martin Atkins [EMAIL PROTECTED]
 Subject: Re: Using email address as OpenID identifier
 To: specs@openid.net
 Message-ID: [EMAIL PROTECTED]
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed

 Paul E. Jones wrote:

 Perhaps it is important to say, though, that I do not think it
 requires the e-mail providers to get on board with this (in my view)
 simpler notation.  I could use an ID like [EMAIL PROTECTED] and  
 that

 should work, if myopenid.com would publish the appropriate NAPTR
 record.  I could also insert NAPTR records into the packetizer.com  
 DNS

 server that would allow me to use my email address, but point at my
 preferred OpenID provider.  In short, just because the [EMAIL PROTECTED]
 syntax is used does not mean that it necessarily an e-mail address:  
 it

 could be, but more importantly, it just follows that familiar format
 documented in RFC 822.


 Funnily enough, I've always percieved the fact that syntactically- 
 valid
 but non-existant email addresses are being used as identifiers as a
 problem rather than a benefit:

  * It creates confusion for users when something looks like an email
 address but it doesn't behave as one. I've seen this sort of confusion
 with Jabber servers, where users get confused that their Jabber ID and
 email address are not the same, especially when Jabber clients say  
 For
 example, [EMAIL PROTECTED] under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working
 mailboxes, it's likely to lead to a distressing user experience where
 the user is first asked to enter their OpenID identifier -- that is,
 their email address -- and then they're asked to enter and verify  
 their
 email address. At this point, I expect users to at best say Stupid
 computer! Remember what I've told you! and at worst get confused and
 think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the
 Jabber circles, many people are reluctant to give up their email
 addresses to the public eye for fear of spam. Note that Yahoo.com  
 will,
 by default, use a big opaque string as an identifier rather than the
 user's Yahoo! account name for this very reason.




 *
 This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information.  If you are not the  
 intended
 recipient, any use, copying, disclosure, dissemination or  
 distribution is
 strictly prohibited.  If you are not the intended recipient, please  
 notify
 the sender immediately by return e-mail, delete this communication and
 destroy all copies.
 *

 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-02 Thread Paul E. Jones
Dick,

 

I'll give you that one: that's certainly easier.  But, does not cause some
confusion?  After all, one's identity is not yahoo.com, but that is the
identity provider.  Perhaps the prompts around the Internet ought to Say
OpenID Provider: instead? :-)

 

Presently, this variant works form some providers, but not most.  I assume
it's due to the fact they're not fully compliant with the spec yet? Or, is
there some confusion as to how this ought to work?

 

Paul

 

From: Dick Hardt [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 02, 2008 1:09 AM
To: Paul E. Jones
Cc: 'Eran Hammer-Lahav'; specs@openid.net
Subject: Re: Using email address as OpenID identifier

 

Entering yahoo.com is even easier!

 

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:





Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than
enteringhttps://me.yahoo.com/userid.  If it happens to also be one's real
e-mail address, fine.  That would be a plus for me, but I don't see that as
a requirement.

 

Paul

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, this is the convention that we'll
follow.  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like [EMAIL PROTECTED] and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the [EMAIL PROTECTED] syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if
you had a generic way of moving frommailto:[EMAIL PROTECTED] to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what

Re: Using email address as OpenID identifier

2008-04-02 Thread James Henstridge
On 02/04/2008, Paul E. Jones [EMAIL PROTECTED] wrote:
   A solution that matches closer with what the user expects would be to
   map [EMAIL PROTECTED] to a claimed ID of mailto:[EMAIL PROTECTED].

 The average user is not going to know what mailto:; is.

The mailto: transition would be something done internally by the RP.
The RP could (and probably should) display email addresses without the
mailto:; prefix to the user.

This is similar to the way RPs store persistent XRIs as the user's
claimed ID but are encouraged to display the reassignable XRI.


   For (2), I'd suggest a solution that maps the email address to either
   directly to an OpenID endpoint (using the claimed ID as local ID), or
   to an XRDS file.  A DNS based solution seems fine here (either your
   NAPTR idea, or TXT records as suggested in replies to your post).


 NAPTR queries and transformations are straight-forward.  It's just a regular
  expression transformation from something that looks like an e-mail address
  to the real OpenID ID.

  But, again, I don't really care how it works. But, for the benefit of those
  who are not so technically capable, I believe it's got to be super, super
  trivial.  NAPTR would work extremely well, I think, and would be fast.  Any
  OpenID OP could provide an e-mail style identifier and it would certainly be
  a motivator for anybody providing e-mail service to also OpenID enable their
  subscriber's e-mail addresses.

I don't think there is a need to introduce an HTTP identity URL here.
If you're going to use an email address as an identity, then use an
email address as an identity.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-02 Thread Dick Hardt


On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote:


Dick,

I’ll give you that one: that’s certainly easier.  But, does not  
cause some confusion?  After all, one’s identity is not yahoo.com,  
but that is the identity provider.  Perhaps the prompts around the  
Internet ought to Say “OpenID Provider:” instead? :-)


:-) ... that label would be more accurate. There is lots of work to be  
done to make OpenID simpler for users. I think that what will be easy  
for users is something provided by the browser that lets the user  
click to initiate a login or registration. No typing is better then  
any typing! Back when we started working on the protocols we could not  
expect this kind of functionality to be in the browsers. Now that  
awareness is higher, having it built into the browser is feasible. I  
of course am biased given the work we have done with Sxipper http://sxipper.com 
 :)




Presently, this variant works form some providers, but not most.  I  
assume it’s due to the fact they’re not fully compliant with the  
spec yet? Or, is there some confusion as to how this ought to work?


I don't think an OP is not OpenID 2.0 compliant if it does not take  
the OP as an identifier -- but I would have to reread to the spec to  
make sure.


-- Dick



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-02 Thread Joseph Anthony Pasquale Holsten
Does anyone have the time to write an email - xrds discovery spec so  
we can formally ignore it? And so people can argue with their dns  
providers instead of on list?


http:// Joseph Holsten .com


On 02008:04:01, at 9:30CDT, Paul E. Jones wrote:


Folks,



I’ve seen discussion here and there on the use of the e-mail  
address as the OpenID identifier.  Perhaps this one says it best:


http://www.majordojo.com/2007/02/what-openid-needs.php



I share many of same opinions.  If OpenID is going to be  
practically usable by the average person, we cannot require the  
person to remember some very complex identifier.  When I signed up  
for Yahoo’s OpenID service, it presented me with a hideously ugly  
URL that looked similar to a base64-encoded string.  I could not  
begin to tell you what it was.  Fortunately, Yahoo allowed me to  
define my own, friendlier name.  Still, the ID is not one that the  
average user will remember or get right.




While the e-mail address does not have to be the one’s ID, it can  
certainly serve as an alias.  Suppose, for example, that the DNS  
records at Yahoo contained the following entry:




  yahoo.com. IN NAPTR 100 10 U OpenID2 ^(.+)@(.*)$!https:// 
me.yahoo.com/\1!i




This would allow a Relaying Party to accept an e-mail address and  
perform a simple transformation to get the “real” URL identifier.   
Of course, this does not mean that the existing URL or XRI  
identifiers are invalid, nor does it mean that the “email address”  
has to be a real e-mail address.  But, this form would certainly be  
far simpler for most people to deal use.




If something like this has been discussed and rejected, what was  
the reason?




Thanks,

Paul



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-02 Thread Paul E. Jones
Joseph,

 

That argument was given to me yesterday, but I don't think you really need
to worry with your DNS provider unless you're also trying to operate your
own OP.

 

Suppose, for example, you have an ID assigned by myopenid.com.  I don't know
what URI format they'll use, but let's say it is
https://myopenid.com/joseph.  Or, perhaps it's https://joseph.myopenid.com.
Whatever the format, there is always a user component to it.  So, it would
be quite simply to take the user component and put it into an e-mail ID
style like [EMAIL PROTECTED]  This does not necessarily mean you have an
e-mail address, but it could be an e-mail address.

 

The conversion from that form to a URI form is easily achieved via NAPTR
records similar to the one I show below.  So, before any XRDS query is
performed, the RP would see if the ID provided is an e-mail-style ID.  If
so, query for the NAPTR record and then perform the conversion from the
e-mail-style to a URL.  From there, it all works the same.  It's just a
make it simple enhancement that requires no changes to the core Open ID
specs.

 

Paul

 

From: Joseph Holsten [mailto:[EMAIL PROTECTED] On Behalf Of Joseph
Anthony Pasquale Holsten
Sent: Wednesday, April 02, 2008 4:52 AM
To: Paul E. Jones
Cc: specs@openid.net
Subject: Re: Using email address as OpenID identifier

 

Does anyone have the time to write an email - xrds discovery spec so we can
formally ignore it? And so people can argue with their dns providers instead
of on list?

 

http:// Joseph Holsten .com

 

 

On 02008:04:01, at 9:30CDT, Paul E. Jones wrote:





Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i https://me.yahoo.com/1!i 

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

___

specs mailing list

specs@openid.net

http://openid.net/mailman/listinfo/specs

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: IDMML (was RE: Using email address as OpenID identifier)

2008-04-02 Thread George Fletcher


Drummond Reed wrote:
 Dick Hardt wrote:

 :-) ... that label would be more accurate. There is lots of work to be
 done to make OpenID simpler for users. I think that what will be easy
 for users is something provided by the browser that lets the user
 click to initiate a login or registration. No typing is better then
 any typing! Back when we started working on the protocols we could not
 expect this kind of functionality to be in the browsers. Now that
 awareness is higher, having it built into the browser is feasible. I
 of course am biased given the work we have done with Sxipper
 http://sxipper.com :)
   
 For the majority of users, this is probably the most likely path of
 introduction to OpenID. Note that it's not just about allowing the user
 to do something with one click, but also about being proactive and
 informing the user that they can login to a site with an identity they
 already have. This can be as simple as telling the browser identity
 agent (e.g. sxipper) which email addresses the user has and letting the
 identity agent figure out which OpenID's the user has that they don't
 even know about.

 George Fletcher wrote:

 I think relying party sites that support OpenID could do more to make it
 clear on their home pages that they support OpenID (as often it's hidden
 behind another click). This could be as simple as some link tags that
 advertise support for OpenID. Maybe a link to the XRDS doc describing
 the services of the site. Then the identity agent can discover the
 relying party OpenID return_to endpoint and log the user in directly.
 Can be used to solve a phishing problem and makes the experience easy
 for the user.

 Some related thoughts 
http://practicalid.blogspot.com/2007/06/clients-to-rescue.html

 http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
 markup.html
 

 George, I read your two posts with great interest...and then noticed that
 they were last summer!

 You are a man ahead of your time.

 Where has discussion of your IDMML gone since your posts?

 =Drummond
Unfortunately, not as far as I'd like :(  I've not been able to get back 
to the ideas and take them farther. With the other things that have 
happened in the last 6 months there are needed revisions. Maybe this 
could be a discussion at IIW (if there is enough interest)?

At the time there was less consensus around XRDS as a service 
description/meta-data markup. With that changing, the time is better 
to move this forward. I suspect there are significant synergies with 
what Peter hinted at in the work with XRDS, IDP Discovery, and SAML. It 
would be great if identity agents could be the glue that binds the 
different identity systems together for the user (until we on the 
technology side get closer to real convergence:).

Thanks,
George
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: IDMML (was RE: Using email address as OpenID identifier)

2008-04-02 Thread Chris Drake
Hi Drummond,

I pushed hard for RP identification for 2 or 3 months back around
October 2006.  If anyone wants to go back through the archives,
there's a pile of other important reasons to have some way that an IdP
and/or browser agent can identify an OpenID-enabled site.  The antique
thread below lists a few.  My proposal too was a link tag.

Kind Regards,
Chris Drake


Tuesday, November 7, 2006, 12:51:15 I, you wrote:

CD Hi Johannes,

CD I proposed a solution to the single sign out problem a month or two
CD ago.

CD In fact - a whole range of solutions have been proposed, and relative
CD merits of all discussed already - does anyone have the free time to go
CD back over the postings, extract all the knowledge  contributions, and
CD document them all?

CD To summarize my proposal - I was seeking a standardized OpenID RP
CD endpoint interface into which I (as an IdP) or a software agent (eg: a
CD browser plugin) could post user information - be this a login
CD request, email change request, log-out request, account signup,
CD account cancelation, or whatever.  My preferred implementation was a
CD LINK tag placed on (and thus identifying) a login page, and within
CD the link tag, the endpoint of the RP for accepting IdP(OP/agent)
CD input.

CD Kind Regards,
CD Chris Drake


CD Tuesday, November 7, 2006, 1:04:44 PM, you wrote:

JE I continue to believe that we need single-sign-out
JE functionality, in particular once OpenID moves up the stack for
JE higher-value transactions.


JE Some people have made the case that that is undesirable
JE and/or impossible; I beg to differ.


JE Having automatic authentication against the IdP is quite
JE similar to not having a password on the identity at all, in that
JE it reduces the confidence that we know the real-world identity of
JE the entity/user at the other end. In my view, there's nothing
JE wrong with that, but we do need to be able to convey that to
JE relying parties in a way that cannot be easily attacked.





JE On Nov 6, 2006, at 16:41, Joshua Viney wrote:

JE One question re: User Experience and single-sign-on comes to mind:


JE How do we treat users who are accessing their IdP and
JE Relying Parties via public computers?


JE Use Case:
JE Good User at public library wants to leave a comment on Blog X
JE Blog X requires the person to authenticate via OpenID
JE Good User enters their OpenID and successfully authenticates
JE via email and password (or whatever) (and authorizes the RP
JE ('realm' in 2.0) if necessary) at their IdP
JE Good User is redirected to Blog X signed in
JE Good User leaves comment
JE Good User signs out of Blog X (if sign out is even an option)
JE Good User then leaves the public library and goes shopping
JE Evil User jumps on computer and proceeds to leave comments at
JE any number of OpenID enabled blogs using Good User's OpenID (he
JE saw it while looking over Good User's shoulder, or he checks any
JE sites that Good User did NOT sign out of that might display his
JE OpenID)
JE Evil User, uses Good User's signed in IdP session to sign into any number 
of sites, etc


JE Outcome: Good User's reputation is ruined and his/her OpenID
JE is banned from a whole list of Relying Parties. Good User then
JE blames their IdP, the Relying Parties and OpenID as a technology
JE and tells everyone he/she knows not to use it blogs about it and
JE initiates a press release.


JE It may be easy to pass this off as an implementation specific
JE issue or as user error, but this use case is somewhat likely for
JE 2 reasons:


JE 1. A user's OpenID URI is not necessarily a private thing
JE (obscurity is not security anyway)
JE 2. Users will be at least 1 site removed from their IdP while
JE accessing a Relying Party, and no one is use to signing out twice
JE 3. It is very very likely that IdP's will use some type of remember me 
functionality


JE One solution to consider would be a global sign-out feature
JE on relying party sites that signs users out of their IdP as well.
JE Another solution would be to make very specific recommendations
JE about messaging users who may be using public computers.






JE Josh Viney
JE http://www.eastmedia.com -- EastMedia
JE http://identity.eastmedia.com -- OpenID, Identity 2.0








JE ___
JE user-experience mailing list
JE [EMAIL PROTECTED]
JE http://openid.net/mailman/listinfo/user-experience










Kind Regards,
Chris Drake,
=1id.com


Thursday, April 3, 2008, 4:38:13 AM, you wrote:

  Dick Hardt wrote:
 
  :-) ... that label would be more accurate. There is lots of work to be
  done to make OpenID simpler for users. I think that what will be easy
  for users is something provided by the browser that lets the user
  click to initiate a login or registration. No typing is better then
  any typing! Back when we started working on the protocols we could not
  expect this kind of functionality to be in the browsers. Now that
  awareness is higher, having it built 

RE: IDMML (was RE: Using email address as OpenID identifier)

2008-04-02 Thread Drummond Reed
Chris, I remember that well, and I agree that it makes a lot of sense. I
think when this is combined with George's concept of the other ways in which
a local identity agent can assist the use, then IDMML really starts to gain
some legs.

See also my reply to George.

=Drummond 

 -Original Message-
 From: Chris Drake [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, April 02, 2008 1:30 PM
 To: Drummond Reed
 Cc: 'George Fletcher'; 'Dick Hardt'; specs@openid.net
 Subject: Re: IDMML (was RE: Using email address as OpenID identifier)
 
 Hi Drummond,
 
 I pushed hard for RP identification for 2 or 3 months back around
 October 2006.  If anyone wants to go back through the archives,
 there's a pile of other important reasons to have some way that an IdP
 and/or browser agent can identify an OpenID-enabled site.  The antique
 thread below lists a few.  My proposal too was a link tag.
 
 Kind Regards,
 Chris Drake
 
 
 Tuesday, November 7, 2006, 12:51:15 I, you wrote:
 
 CD Hi Johannes,
 
 CD I proposed a solution to the single sign out problem a month or two
 CD ago.
 
 CD In fact - a whole range of solutions have been proposed, and relative
 CD merits of all discussed already - does anyone have the free time to go
 CD back over the postings, extract all the knowledge  contributions, and
 CD document them all?
 
 CD To summarize my proposal - I was seeking a standardized OpenID RP
 CD endpoint interface into which I (as an IdP) or a software agent (eg: a
 CD browser plugin) could post user information - be this a login
 CD request, email change request, log-out request, account signup,
 CD account cancelation, or whatever.  My preferred implementation was a
 CD LINK tag placed on (and thus identifying) a login page, and within
 CD the link tag, the endpoint of the RP for accepting IdP(OP/agent)
 CD input.
 
 CD Kind Regards,
 CD Chris Drake
 
 
 CD Tuesday, November 7, 2006, 1:04:44 PM, you wrote:
 
 JE I continue to believe that we need single-sign-out
 JE functionality, in particular once OpenID moves up the stack for
 JE higher-value transactions.
 
 
 JE Some people have made the case that that is undesirable
 JE and/or impossible; I beg to differ.
 
 
 JE Having automatic authentication against the IdP is quite
 JE similar to not having a password on the identity at all, in that
 JE it reduces the confidence that we know the real-world identity of
 JE the entity/user at the other end. In my view, there's nothing
 JE wrong with that, but we do need to be able to convey that to
 JE relying parties in a way that cannot be easily attacked.
 
 
 
 
 
 JE On Nov 6, 2006, at 16:41, Joshua Viney wrote:
 
 JE One question re: User Experience and single-sign-on comes to mind:
 
 
 JE How do we treat users who are accessing their IdP and
 JE Relying Parties via public computers?
 
 
 JE Use Case:
 JE Good User at public library wants to leave a comment on Blog X
 JE Blog X requires the person to authenticate via OpenID
 JE Good User enters their OpenID and successfully authenticates
 JE via email and password (or whatever) (and authorizes the RP
 JE ('realm' in 2.0) if necessary) at their IdP
 JE Good User is redirected to Blog X signed in
 JE Good User leaves comment
 JE Good User signs out of Blog X (if sign out is even an option)
 JE Good User then leaves the public library and goes shopping
 JE Evil User jumps on computer and proceeds to leave comments at
 JE any number of OpenID enabled blogs using Good User's OpenID (he
 JE saw it while looking over Good User's shoulder, or he checks any
 JE sites that Good User did NOT sign out of that might display his
 JE OpenID)
 JE Evil User, uses Good User's signed in IdP session to sign into any
 number of sites, etc
 
 
 JE Outcome: Good User's reputation is ruined and his/her OpenID
 JE is banned from a whole list of Relying Parties. Good User then
 JE blames their IdP, the Relying Parties and OpenID as a technology
 JE and tells everyone he/she knows not to use it blogs about it and
 JE initiates a press release.
 
 
 JE It may be easy to pass this off as an implementation specific
 JE issue or as user error, but this use case is somewhat likely for
 JE 2 reasons:
 
 
 JE 1. A user's OpenID URI is not necessarily a private thing
 JE (obscurity is not security anyway)
 JE 2. Users will be at least 1 site removed from their IdP while
 JE accessing a Relying Party, and no one is use to signing out twice
 JE 3. It is very very likely that IdP's will use some type of remember
 me functionality
 
 
 JE One solution to consider would be a global sign-out feature
 JE on relying party sites that signs users out of their IdP as well.
 JE Another solution would be to make very specific recommendations
 JE about messaging users who may be using public computers.
 
 
 
 
 
 
 JE Josh Viney
 JE http://www.eastmedia.com -- EastMedia
 JE http://identity.eastmedia.com -- OpenID, Identity 2.0
 
 
 
 
 
 
 
 
 JE ___
 JE user-experience

RE: IDMML (was RE: Using email address as OpenID identifier)

2008-04-02 Thread Drummond Reed
  George Fletcher wrote:
 
  I think relying party sites that support OpenID could do more to make
 it
  clear on their home pages that they support OpenID (as often it's
 hidden
  behind another click). This could be as simple as some link tags that
  advertise support for OpenID. Maybe a link to the XRDS doc describing
  the services of the site. Then the identity agent can discover the
  relying party OpenID return_to endpoint and log the user in directly.
  Can be used to solve a phishing problem and makes the experience easy
  for the user.
 
  Some related thoughts 
 http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
 
  http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
  markup.html
 
  Drummond wrote:
  George, I read your two posts with great interest...and then noticed
 that
  they were last summer!
 
  You are a man ahead of your time.
 
  Where has discussion of your IDMML gone since your posts?
 
 George wrote:
 Unfortunately, not as far as I'd like :(  I've not been able to get back
 to the ideas and take them farther. With the other things that have
 happened in the last 6 months there are needed revisions. Maybe this
 could be a discussion at IIW (if there is enough interest)?
 
 At the time there was less consensus around XRDS as a service
 description/meta-data markup. With that changing, the time is better
 to move this forward. I suspect there are significant synergies with
 what Peter hinted at in the work with XRDS, IDP Discovery, and SAML. It
 would be great if identity agents could be the glue that binds the
 different identity systems together for the user (until we on the
 technology side get closer to real convergence:).

George, I agree that several things have evolved which could make an IDMML
practical now. Seems like a very good topic for IIW. I just put it on the
list of proposed sessions:

http://iiw.idcommons.net/index.php/Proposed_Topics_2008a 

=Drummond 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread Brad Fitzpatrick
This has been discussed to death and really should be a FAQ by now, but it's
not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and
ignore what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to
type in yahoo.com, or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may
be the correct way, but average people don't control their DNS.  Hell,
networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an
XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple
says try Accept header, then parse the head tag, a good email-to-URL
lookup protocol (best practice?) might be to try NAPTR first, then fall
back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones [EMAIL PROTECTED]:

  Folks,



 I've seen discussion here and there on the use of the e-mail address as
 the OpenID identifier.  Perhaps this one says it best:

 http://www.majordojo.com/2007/02/what-openid-needs.php



 I share many of same opinions.  If OpenID is going to be practically
 usable by the average person, we cannot require the person to remember some
 very complex identifier.  When I signed up for Yahoo's OpenID service, it
 presented me with a hideously ugly URL that looked similar to a
 base64-encoded string.  I could not begin to tell you what it was.
 Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
 ID is not one that the average user will remember or get right.



 While the e-mail address does not have to be the one's ID, it can
 certainly serve as an alias.  Suppose, for example, that the DNS records at
 Yahoo contained the following entry:



   yahoo.com. IN NAPTR 100 10 U OpenID2
 ^(.+)@(.*)$!https://me.yahoo.com/\1!i;



 This would allow a Relaying Party to accept an e-mail address and perform
 a simple transformation to get the real URL identifier.  Of course, this
 does not mean that the existing URL or XRI identifiers are invalid, nor does
 it mean that the email address has to be a real e-mail address.  But, this
 form would certainly be far simpler for most people to deal use.



 If something like this has been discussed and rejected, what was the
 reason?



 Thanks,

 Paul



 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Eran Hammer-Lahav
The beauty of the current OpenID spec is that anyone can implement it and go 
live. However, with email identifiers you need email providers to support it. 
If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I 
am sure the others are likely to follow. Get 2 of these 4 and you've got 
something going. But the biggest issue is not picking a standard but finding a 
company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple 
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an 
OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if you 
had a generic way of moving from mailto:[EMAIL PROTECTED] to 
http://example.com/url/user (or any other URI with HTTP, the domain, and the 
user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are 
interested and put out something people can use. After that I expect the 
snowball to roll. So, do you know anyone? :)

EHL

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the 
OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by 
the average person, we cannot require the person to remember some very complex 
identifier.  When I signed up for Yahoo's OpenID service, it presented me with 
a hideously ugly URL that looked similar to a base64-encoded string.  I could 
not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my 
own, friendlier name.  Still, the ID is not one that the average user will 
remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly 
serve as an alias.  Suppose, for example, that the DNS records at Yahoo 
contained the following entry:

  yahoo.com. IN NAPTR 100 10 U OpenID2 
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

This would allow a Relaying Party to accept an e-mail address and perform a 
simple transformation to get the real URL identifier.  Of course, this does 
not mean that the existing URL or XRI identifiers are invalid, nor does it mean 
that the email address has to be a real e-mail address.  But, this form would 
certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, this is the convention that we'll
follow.  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like [EMAIL PROTECTED] and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the [EMAIL PROTECTED] syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if
you had a generic way of moving from mailto:[EMAIL PROTECTED] to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt


On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:


-- that said, with directed identity in OpenID 2.0, a user just  
needs to type in yahoo.com, or press the pretty yahoo button.  No  
typing.


I think this is why we don't need to use emails. People are very  
familiar with typing in a URL in the address bar. The experience of  
entering an URL and then being on that page is also really familiar.  
This is of course what happens when you type the OP into the OpenID  
prompt.


Sorry for not being the least bit supportive of the email as  
identifier idea -- there are just so many things that are bad about it  
and the good reason (an identifier they already know) is provided per  
above with the advantage of giving an expected experience.


I agree with Brad that we need to write a FAQ on this.

-- Dick___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Eran Hammer-Lahav
Take a look at 
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially 
the list of other solutions proposed before me, as well as Brad's proposal.

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this 
DNS, and they *are* the email providers.

EHL

From: Paul E. Jones [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

Eran,

You're entirely correct that this is not an OpenID issue, per se.  In fact, not 
a single word of text would need to be changed in the current v2 specs, as far 
as I'm concerned.

But, I do think that it will take some of the core OpenID team members to put a 
stake in the ground and say, this is the convention that we'll follow.  What 
needs to happen then is perhaps an extension written that explains how to 
convert an email address to a URL.  Using NAPTR records seems like the simplest 
way to do it to me, but I'm open to suggestions.

Perhaps it is important to say, though, that I do not think it requires the 
e-mail providers to get on board with this (in my view) simpler notation.  I 
could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com 
would publish the appropriate NAPTR record.  I could also insert NAPTR records 
into the packetizer.com DNS server that would allow me to use my email address, 
but point at my preferred OpenID provider.  In short, just because the [EMAIL 
PROTECTED] syntax is used does not mean that it necessarily an e-mail address: 
it could be, but more importantly, it just follows that familiar format 
documented in RFC 822.

Paul

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

The beauty of the current OpenID spec is that anyone can implement it and go 
live. However, with email identifiers you need email providers to support it. 
If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I 
am sure the others are likely to follow. Get 2 of these 4 and you've got 
something going. But the biggest issue is not picking a standard but finding a 
company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple 
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an 
OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if you 
had a generic way of moving from mailto:[EMAIL PROTECTED] to 
http://example.com/url/user (or any other URI with HTTP, the domain, and the 
user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are 
interested and put out something people can use. After that I expect the 
snowball to roll. So, do you know anyone? :)

EHL

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the 
OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by 
the average person, we cannot require the person to remember some very complex 
identifier.  When I signed up for Yahoo's OpenID service, it presented me with 
a hideously ugly URL that looked similar to a base64-encoded string.  I could 
not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my 
own, friendlier name.  Still, the ID is not one that the average user will 
remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly 
serve as an alias.  Suppose, for example, that the DNS records at Yahoo 
contained the following entry:

  yahoo.com. IN NAPTR 100 10 U OpenID2 
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

This would allow a Relaying Party to accept an e-mail address and perform a 
simple transformation to get the real URL identifier.  Of course, this does 
not mean that the existing URL or XRI identifiers are invalid, nor does it mean 
that the email address has to be a real e-mail address.  But, this form would 
certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread James Henstridge
On 02/04/2008, Paul E. Jones [EMAIL PROTECTED] wrote:
 Folks,

 I've seen discussion here and there on the use of the e-mail address as the
 OpenID identifier.  Perhaps this one says it best:

 http://www.majordojo.com/2007/02/what-openid-needs.php

 I share many of same opinions.  If OpenID is going to be practically usable
 by the average person, we cannot require the person to remember some very
 complex identifier.  When I signed up for Yahoo's OpenID service, it
 presented me with a hideously ugly URL that looked similar to a
 base64-encoded string.  I could not begin to tell you what it was.
 Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
 ID is not one that the average user will remember or get right.

 While the e-mail address does not have to be the one's ID, it can certainly
 serve as an alias.  Suppose, for example, that the DNS records at Yahoo
 contained the following entry:

   yahoo.com. IN NAPTR 100 10 U OpenID2
 ^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 This would allow a Relaying Party to accept an e-mail address and perform a
 simple transformation to get the real URL identifier.  Of course, this
 does not mean that the existing URL or XRI identifiers are invalid, nor does
 it mean that the email address has to be a real e-mail address.  But, this
 form would certainly be far simpler for most people to deal use.

If your aim is to let people use an email address as an identifier,
there are a few questions to answer:

1. when a user enters an email address into an RP, how is the claimed
ID derived from that input?

2. given such an input, how does the RP go about discovering the
OpenID endpoint URL and local ID for that identity?

With answers to these two questions, the remainder of the protocol
should function as is.

I'm guessing (correct me if I'm wrong) that you're suggesting that
this DNS lookup be done as part of (1).  This seems like it would
cause confusion if the user's ISP changed their DNS, since the user
would see their email address as being the real identifier: not the
URL that it maps to.

A solution that matches closer with what the user expects would be to
map [EMAIL PROTECTED] to a claimed ID of mailto:[EMAIL PROTECTED].

For (2), I'd suggest a solution that maps the email address to either
directly to an OpenID endpoint (using the claimed ID as local ID), or
to an XRDS file.  A DNS based solution seems fine here (either your
NAPTR idea, or TXT records as suggested in replies to your post).

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Brad,

 

Your point about DNS limitations is valid.  Then again, anybody who will be 
offering the open identity server is likely going to have control over their 
DNS.  Still, I’m not opposed to alternatives.

 

But, since you brought up the fact that one can enter yahoo.com and get 
redirected, I checked and, indeed, several OpenID sites already accept the 
e-mail ID as a form of identification—and I can get redirected to either Yahoo 
or MyOpenID.com.  So, do some of the libraries already check for e-mail address 
forms?  It seems that perhaps they do!

 

Paul

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Fitzpatrick
Sent: Tuesday, April 01, 2008 10:38 PM
To: Paul E. Jones
Cc: specs@openid.net
Subject: Re: Using email address as OpenID identifier

 

This has been discussed to death and really should be a FAQ by now, but it's 
not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and ignore 
what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to type 
in yahoo.com, or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may be 
the correct way, but average people don't control their DNS.  Hell, 
networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an 
XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple says 
try Accept header, then parse the head tag, a good email-to-URL lookup 
protocol (best practice?) might be to try NAPTR first, then fall back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones [EMAIL PROTECTED]:

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the 
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable by 
the average person, we cannot require the person to remember some very complex 
identifier.  When I signed up for Yahoo's OpenID service, it presented me with 
a hideously ugly URL that looked similar to a base64-encoded string.  I could 
not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my 
own, friendlier name.  Still, the ID is not one that the average user will 
remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly 
serve as an alias.  Suppose, for example, that the DNS records at Yahoo 
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2 
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a 
simple transformation to get the real URL identifier.  Of course, this does 
not mean that the existing URL or XRI identifiers are invalid, nor does it mean 
that the email address has to be a real e-mail address.  But, this form would 
certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Dick,

 

On this point, I really have to disagree.  Even I rarely enter a URL into a
web browser. Why bother when I know the web browser will figure it out for
me.  I don't want to type http:// or https:// :-)

 

More importantly, you and I are different than the average users.  I've
watched people struggle with getting addresses properly entered.  I've
watched people put www in front of every name entered into a web browser,
even when the site might be something else.  I've watched users enter \\
rather than //.  I've even no slash at all.

 

So, what I think is important is that users have something simple and
consistent.  As I noted to my message to Brad just a moment ago, it appears
that some sites will accept the e-mail address form and then figure out
where to direct the user.   I was pleasantly surprised.

 

Given that at least some of the sites out there now do operate this way, I
suspect it might just be a matter of time before all of them do.  But, I
think it's important that the user experience is consistent, as you say.  If
email IDs are going to be supported by some, through ought to be supported
by all - even if they do nothing but figure out which OP to direct the
browser to.

 

Paul

 

From: Dick Hardt [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2008 11:45 PM
To: Brad Fitzpatrick
Cc: Paul E. Jones; specs@openid.net
Subject: Re: Using email address as OpenID identifier

 

 

On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:


-- that said, with directed identity in OpenID 2.0, a user just needs to
type in yahoo.com, or press the pretty yahoo button.  No typing.

 

I think this is why we don't need to use emails. People are very familiar
with typing in a URL in the address bar. The experience of entering an URL
and then being on that page is also really familiar. This is of course what
happens when you type the OP into the OpenID prompt.

 

Sorry for not being the least bit supportive of the email as identifier idea
-- there are just so many things that are bad about it and the good reason
(an identifier they already know) is provided per above with the advantage
of giving an expected experience.

 

I agree with Brad that we need to write a FAQ on this.

 

-- Dick

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Using email address as OpenID identifier

2008-04-01 Thread Paul E. Jones
Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than entering
https://me.yahoo.com/userid.  If it happens to also be one's real e-mail
address, fine.  That would be a plus for me, but I don't see that as a
requirement.

 

Paul

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, this is the convention that we'll
follow.  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like [EMAIL PROTECTED] and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the [EMAIL PROTECTED] syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI -- HTTP URI conversation. Basically if
you had a generic way of moving from mailto:[EMAIL PROTECTED] to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 U OpenID2
^(.+)@(.*)$!https://me.yahoo.com/\1!i;

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the real URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the email address has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use

Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt

Entering yahoo.com is even easier!

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:


Eran,

I’m not suggesting that the address must be a real e-mail address.   
I’m suggesting that the ID has that form.  It’s easier for users  
than enteringhttps://me.yahoo.com/userid.  If it happens to also be  
one’s real e-mail address, fine.  That would be a plus for me, but I  
don’t see that as a requirement.


Paul


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On  
Behalf Of Eran Hammer-Lahav

Sent: Wednesday, April 02, 2008 12:17 AM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html 
 - especially the list of other solutions proposed before me, as  
well as Brad’s proposal.


The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to  
support this DNS, and they *are* the email providers.


EHL

From: Paul E. Jones [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs@openid.net
Subject: RE: Using email address as OpenID identifier

Eran,

You’re entirely correct that this is not an OpenID issue, per se.   
In fact, not a single word of text would need to be changed in the  
current v2 specs, as far as I’m concerned.


But, I do think that it will take some of the core OpenID team  
members to put a stake in the ground and say, “this is the  
convention that we’ll follow.”  What needs to happen then is perhaps  
an extension written that explains how to convert an email address  
to a URL.  Using NAPTR records seems like the simplest way to do it  
to me, but I’m open to suggestions.


Perhaps it is important to say, though, that I do not think it  
requires the e-mail providers to get on board with this (in my view)  
simpler notation.  I could use an ID like [EMAIL PROTECTED] and  
that should work, if myopenid.com would publish the appropriate  
NAPTR record.  I could also insert NAPTR records into the  
packetizer.com DNS server that would allow me to use my email  
address, but point at my preferred OpenID provider.  In short, just  
because the [EMAIL PROTECTED] syntax is used does not mean that it  
necessarily an e-mail address: it could be, but more importantly, it  
just follows that familiar format documented in RFC 822.


Paul

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On  
Behalf Of Eran Hammer-Lahav

Sent: Tuesday, April 01, 2008 10:43 PM
To: specs@openid.net
Subject: RE: Using email address as OpenID identifier

The beauty of the current OpenID spec is that anyone can implement  
it and go live. However, with email identifiers you need email  
providers to support it. If Google, Yahoo, AOL, or Microsoft  
announced they are adding such a feature, I am sure the others are  
likely to follow. Get 2 of these 4 and you’ve got something going.  
But the biggest issue is not picking a standard but finding a  
company willing to put something out there.


As for the technical solutions, there are many from DNS to XRDS to a  
simple template agreed by all. Brad Fitzpatrick argued at FooCamp  
that this is not an OpenID issue, but a non-HTTP URI -- HTTP URI  
conversation. Basically if you had a generic way of moving  
frommailto:[EMAIL PROTECTED] to http://example.com/url/user (or any  
other URI with HTTP, the domain, and the user), any URI can be used  
for OpenID.


But at the end this is about someone of a major email provider  
saying they are interested and put out something people can use.  
After that I expect the snowball to roll. So, do you know anyone? J


EHL

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On  
Behalf Of Paul E. Jones

Sent: Tuesday, April 01, 2008 10:31 PM
To: specs@openid.net
Subject: Using email address as OpenID identifier

Folks,

I’ve seen discussion here and there on the use of the e-mail address  
as the OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically  
usable by the average person, we cannot require the person to  
remember some very complex identifier.  When I signed up for Yahoo’s  
OpenID service, it presented me with a hideously ugly URL that  
looked similar to a base64-encoded string.  I could not begin to  
tell you what it was.  Fortunately, Yahoo allowed me to define my  
own, friendlier name.  Still, the ID is not one that the average  
user will remember or get right.


While the e-mail address does not have to be the one’s ID, it can  
certainly serve as an alias.  Suppose, for example, that the DNS  
records at Yahoo contained the following entry:


  yahoo.com. IN NAPTR 100 10 U OpenID2 ^(.+)@(.*)$!https://me.yahoo.com/ 
\1!i


This would allow a Relaying Party to accept an e-mail address and  
perform a simple transformation to get the “real” URL identifier.   
Of course, this does not mean that the existing URL or XRI  
identifiers are invalid, nor does

Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt


On 1-Apr-08, at 10:02 PM, Paul E. Jones wrote:


Dick,

On this point, I really have to disagree.  Even I rarely enter a URL  
into a web browser. Why bother when I know the web browser will  
figure it out for me.  I don’t want to type http:// or https:// :-)


I don't want to type the protocol either. I should have been more  
clear, the user types yahoo.com or aol.com into the prompt. Since this  
is NOT the identifier (which is a useful aspect of this method) -- the  
risks of NOT using https are much lower.


-- Dick___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Using email address as OpenID identifier

2008-04-01 Thread James Henstridge
On 02/04/2008, Paul E. Jones [EMAIL PROTECTED] wrote:
 Brad,

 Your point about DNS limitations is valid.  Then again, anybody who will be
 offering the open identity server is likely going to have control over their
 DNS.  Still, I'm not opposed to alternatives.

 But, since you brought up the fact that one can enter yahoo.com and get
 redirected, I checked and, indeed, several OpenID sites already accept the
 e-mail ID as a form of identification—and I can get redirected to either
 Yahoo or MyOpenID.com.  So, do some of the libraries already check for
 e-mail address forms?  It seems that perhaps they do!

What you are seeing is probably not what you expect:

 from openid.consumer.discover import discover
 claimed_id, services = discover('[EMAIL PROTECTED]')
 for service in services:
... print 'Local ID:', service.getLocalID()
... print 'Server URL:', service.server_url
...
Local ID: None
Server URL: https://open.login.yahooapis.com/openid/op/auth
 claimed_id
'http://www.yahoo.com/'

What is happening is that [EMAIL PROTECTED] is being treated as
http://[EMAIL PROTECTED]/.  As http://yahoo.com; results in an
identifier select endpoint that will work for any Yahoo user.

Note that the HTTP username isn't being used for anything here, and
you'll get the same result by just entering yahoo.com.  I wonder if
the Yahoo guys had considered this, or if it is just a happy accident?

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs