identity as a URL instead of an email? hrmmmm

Martin Atkins mart at degeneration.co.uk
Mon Mar 27 07:00:10 UTC 2006


S. Alexander Jacobson wrote:
> On Sun, 26 Mar 2006, Martin Atkins wrote:
> 
>> How can someone who uses, for example, a hotmail.com email address make
>> use of your system without Hotmail's co-operation? Loads of people have
>> hotmail addresses.
> 
> 
> To be clear, my main complaint about openId/yadis/sxip is that they
> require adoption by both users AND membersites to get going.  And the
> user-education/adoption story for them felt highly unrealistic.  One of
> my goals for pass.net was to eliminate the explicit
> user-adoption/education component.
> 
> So, with pass.net, it is the "member site" that decides whether or not
> to support the protocol.  If the user's email domain doesn't yet do its
> part, then the member site can default to an shared pass.net protocol
> email address authentication provider.
> 

I see where you're coming from. You've created a system which aims to
avoid the need for user "buy in" before users can make use of it. This
is a good goal.

However, if your common case is using pass.net, then what you've created
is little better than MSN Passport; the entire system is dependent on
one domain which is itself controlled by one entity. If you go away or
turn evil, the whole system comes crashing down.

Sure, at that point there is the option for people to set up their DNS
to run it themselves, but there's still the problem that most users will
be unable to bootstrap themselves without changing email address or
switching to a more costly hosting plan.

OpenID as it currently stands has a few different identity providers
(TypeKey, MyOpenID, vIdentity, LiveJournal, GreatestJournal, ...) but
most importantly provides a layer of abstraction that allows users to
switch between these without throwing away the identity: the "delegate"
mechanism. This leaves us in a similar situation to you:
* Users can take the "easy option" and have all of the hard work done
for them if they want by signing up to an identity host.
* With a little extra work, a user can set up a personalized layer of
abstraction over a hosted identity, in a conceptually similar fashion to
email forwarding.

What OpenID is missing is a way for users who have never heard of OpenID
nor distributed identity to "jump right in" without learning about it
and having to choose an identity provider right off the bat. This, as I
see it, is the main virtue of your system.

I can't help but feel that there must be a middle road here somewhere. I
suppose that the nice thing about asking for an email address is that
there's always the fallback of just doing traditional email validation
if all else fails, with no extra pain on the user's part.



More information about the yadis mailing list