User @ domain.tld as ID (Once again)

Zefiro work at zefiro.de
Thu Nov 3 11:41:24 PST 2005


Why is it that some people think email addresses or identifiers looking like email addresses are superior to HTTP URLs?

This introduces a real bunch of technical problems, which have no clean solution. Usernames in HTTP requests are ugly, browsers
might confuse them with phishing, servers might not support them. All mapping schemes involve some kind of magic in it - be it a
magic mapping, a magic header specifying a mapping or a magic centralised server providing lists of mappings for different
servers - a thought which horrifies me, since this has nothing to do with decentralisation or 'everyone can join in'. Provides a
single point of failure and inconsistencies. The spec has to make sure that when an ID is accepted at one site, it is equally
accepted in all other sites implementing this spec. Otherwise the spec is useless (compared to the goal to have an open,
independent, general and future-proof system).

I don't see the advantages of email addresses.

Most people I know have multiple email addresses. One for work, another at home, perhaps an anonymous one. The get them from
their employer, ISP or freemail provider. Actually, addresses from freemail providers are extremly common. The reasons are to
have separate identities (yes, it's the same concept) or to better handle spam.

Spam is a strong argument. I do not support any protocol which makes direct contact information - like email - publicly
available everywhere I want to show an identity, and especially not when indexed by search engines (and therefore also spam
spiders). The necessity to provide email addresses when registering anywhere online is accepted only with the promise to not
reveal said address. Which is a big difference between using EBIA and using the email address itself as ID.

The current situation is not that nobody has any online identity, but everyone has (exactly one) email address. Actually it's
more like everyone creates accounts in bulletin boards, forums, chats, messangers, email providers, etc separately, each secured
by password authentification. I don't see much difference in registering a new user in a board or registering a new user at an
identity provider like videntity.org - and the latter you only have to do once. Very similar in creating a freemail address,
which most people are capable of. And you don't need to have an own homepage for this.

Besides, I myself have two types of mail addresses: a couple I use actively and try hard not to put them on the net, give them
out to untrusted web sites and the like. And one-time addresses, which I just make up (using a catchall-domain) for every
website asking me for an address. I would use neither as ID - the first I won't use to prevent spam, the second are not real
'identities'.

You could say that the address entered is never displayed to the end user and only used for login, thus it would not matter how
it looked like and if it was an email address. This would eliminate the spam problem. But it would also eliminate the whole idea
behind this - to have identities which users actually _can_ see and recognize as being identical over sites.

"People (outside the blog-o-sphere) recognize email addresses as people, URLs as websites" is a valid argument. Actually the
only one I'd accept. But I think the technical problems and real world email usage outweight it.

Btw, people will use what is given to them, after some time of familiarization. Just _because_ I strongly encourage usability, I
discourage using technically problematic designs which could end in incompatible IDs.

And this is not a 'backward-compatibility' thing, either. Nobody stops anyone from using email addresses for email. It is about
a new identification scheme. It could just as well invent a new protocoll - only reason it doesn't is that it wants to use
existing infrastructure. If you want to have a single identity, you could as well put your email address on the HTTP URL used by
OpenID, for example. Or possibly patch your mail client that it accepts YADIS, too.

But speaking about compatibility, one reason mentioned in the previous discussion was that allowing email addresses for YADIS
(or OpenID, back then) would not enable all users of email to have an identity. Instead you would end up having some email
addresses which are capable of being used as an identity, and others which are not. The question of whether an address actually
is an identity is far more important as to where the identitiy metadata document resides. I think it was exactly this reason
which stopped the debate: OpenID didn't allow it to avoid this confusion (for the end users).



*purrrrrr*



More information about the yadis mailing list