myopenid and cap-key-links instead of passwords

Martin Atkins mart at
Sat Jan 28 12:11:08 UTC 2006

David Nicol wrote:
> so I set up and openID account so I could post a comment to a blog,
> and promptly forgot the password.
> By using passwords, this SSO system contributes to the password glut
> rather than helping mitigate it more aggressively.
> A better system IMO is to use e-mailed tokens to verify identity.  Not
> just at the beginning for e-mail association verification but for sign-in.
> If one's account is configured to work that way.

How you "log in" to your authenticating server is an implementation
detail. There's nothing to stop some server using HTTP Auth, or using
email as you describe, or even (in some very-controlled cases) just
seeing the remote user's IP address and assuming it's the right person.

None of this is specified for OpenID. OpenID just specifies how to
inform the consumer site of what has been discovered by whatever means
is appropriate.

More information about the yadis mailing list