[OpenID] The Various Methods For "user@domain.com" Style Identifiers

Dick Hardt dick at sxip.com
Fri Feb 9 08:19:45 UTC 2007

I continue to feel very strongly that a user entering their email  
address into an OpenID form is a really bad idea.

Do we have to rehash this again?  Perhaps a FAQ on why it is a bad  
idea? :-)

-- Dick

On 8-Feb-07, at 11:35 PM, Recordon, David wrote:

> So this is a debate that I know I've been hearing for at least six
> months now.  Dmitry's proposal this last week of actually  
> connecting to
> the MTA is different from previous discussions and I do believe has  
> its
> own merits.  With that said, I think it makes sense to layout the
> various options on the table so that we can weigh pros and cons.  Thus
> far, I haven't seen a single solution which really "wows" me to the
> point of knowing it is the right one.
> 1) Static method of transforming to URL (user at example.com ->
> http://user.example.com, http://example.com/~user, etc)
> 2) Treat as just a way to bootstrap discovery (Yadis on
> http://example.com and assertion about some URL)
> 3) Bootstrap discovery and make assertion about original format (Yadis
> on http://example.com and assertion about user at example.com)
> 4) Treat as email address and contact MTA (DNS query for MX record on
> example.com and then query MTA for XRDS of user at example.com)
> 5) Treat as Jabber ID and contact Jabber server (DNS SRV record for
> Jabber server then query for XRDS of user)
> 6) Treat as an HTTP auth url (Yadis on http://user@example.com)
> I'm not really sold on any of them.
>  - I think the static transformation will run into too many legacy
> deployment issues.
>  - Just bootstrapping discovery will confuse users since the RP will
> recognize them as a URL versus email style identifier
>  - I actually like this one. :P
>  - Annoying to modify MTAs and how do you know it is email versus
> jabber.
>  - Annoying to modify Jabber servers, people will expect it is an  
> email
> address, how do you know it is jabber versus email.
>  - Possible weird reactions by web servers.
> So I guess my preference is the 3rd option, where you bootstrap
> discovery on the domain portion, pass "user at example.com" as the  
> LocalID,
> and have the OP make an assertion about that actual identifier.  It
> removes the issue of email vs. jabber, though requires you run a
> webserver at the root domain and have one OP for every user.
> Thoughts?
> --David
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the yadis mailing list