[OT] Re: User @ domain.tld as ID (Once again)

Mark Rafn dagon at dagon.net
Thu Nov 3 11:36:20 PST 2005

My fundamental concern about email-looking identities is that it's 
misleading about what is actually asserted by the protocol.

With OpenID, the claimed identity is validated to resolve to a fetchable 
URL that has difficult-to-fake content.  This is direct: a claimed 
identity has the ability to control the contents of it's URL.

With an identifier that is NOT a url, this direct link between claim and 
authentication is broken.  foo at bar.com will authenticate that some URL is 
in control of the claimant, but that claimant may not be the actual 
recipient of mail to foo at bar.com.

I don't think using a URL as a claimed identity is leaking an 
implementation detail.  I think it's making the entire point of the 
authentication visible, obvious, and transparent.
Mark Rafn    dagon at dagon.net    <http://www.dagon.net/>

More information about the yadis mailing list