[OT] Re: User @ domain.tld as ID (Once again)
dagon at dagon.net
Thu Nov 3 11:36:20 PST 2005
My fundamental concern about email-looking identities is that it's
misleading about what is actually asserted by the protocol.
With OpenID, the claimed identity is validated to resolve to a fetchable
URL that has difficult-to-fake content. This is direct: a claimed
identity has the ability to control the contents of it's URL.
With an identifier that is NOT a url, this direct link between claim and
authentication is broken. foo at bar.com will authenticate that some URL is
in control of the claimant, but that claimant may not be the actual
recipient of mail to foo at bar.com.
I don't think using a URL as a claimed identity is leaking an
implementation detail. I think it's making the entire point of the
authentication visible, obvious, and transparent.
Mark Rafn dagon at dagon.net <http://www.dagon.net/>
More information about the yadis