Simplifying OpenId

Martin Atkins mart at
Mon Jan 9 23:11:49 UTC 2006

S. Alexander Jacobson wrote:
> On reflection, I don't get the use of <link rel...> tags and homepage
> URLs.  Email addresses already the de-facto Internet standard for user
> identity.  We should be enhancing use of this namespace rather than
> creating new ones.  Here is the obvious protocol for authenticating
> email addresses:
>   1. User supplies email address to consumer site.

I don't want to give consumer sites my email address. I don't want them
to contact me.

>   2. Consumer site looks up UserId DNS record for email address domain
> name.
>      (Note: I don't think UserId records need to have priorities like MX
>       records)

You're adding new DNS RR types now? Bang goes any chance of adoption.
Nameservers won't support it for years, and in the short term most of
the freebie DNS hosting services can't even manage SRV records, let
alone some wacky new one you've just made up.

>   3. If UserId record is absent/broken, send email with a validation URL.
>      If UserID DNS record is present, consumer site posts to UserID_URL:
>      POST UserID_URL
>      content-type: application/x-www-form-urlencoded
>      email=user at domain&is_email=is_email_url
>      201 CREATED
>      Location: redirectURL

So essentially, you've just created a weak LID clone with an extra layer
of abstraction over it so you can pretend you're using email addresses
as tokens. In practice, all you've done is created identifiers that look
a bit like email addresses; my email address is unlikely to be the same
as my identifier because my free mail hosting provider doesn't support
authentication and my identity provider doesn't provide email service.

This is a similar situation with Jabber: my Jabber ID is completely
different from my email address, and though I could make it the same
with substantial effort on my part, that's just because I have my own
domain and the technical knowledge to run my own DNS server and my own
Jabber server.

Also, if you're going to add new stuff to DNS anyway, why not just make
the identifier be a domain name rather than pretending it's an email
address? I can enter just as easily as I can enter
frank at, and that makes the procedure much simpler.

Of course, DNS responses have a practical upper limit on length, so
returning entire URLs — which can potentially be quite long — in them is
likely to cause strange failures with differing DNS server and client

Sorry to be so negative, but you've already enumerated every possible
benefit I can think of, so I figured your proposal could do with a
healthy dose of drawbacks too.

All the best,

More information about the yadis mailing list