tag:blogger.com,1999:blog-4330666749808011734.post6206321042423617454..comments2008-10-25T10:42:10.964-07:00Davidnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4330666749808011734.post-24424648963356179532008-10-25T10:42:10.964-07:002008-10-25T10:42:10.964-07:00Great Point in paragraph two of your comment. I have a slight case of the flu, so after re-reading my blog post, I think I was less than clear on that point.<BR/><BR/>In an ideal world, people would login to their RP with EAUT, so the RP would have the email address in question (used to login) and the RP could assume that the email address is verified, since it maps to an OpenID that the user controls. <BR/><BR/>I think the underlying thing to take from my blog entry is that if a user logs in with a URL or XRI OpenID, or a username/password even, then EAUT and OpenID could be used to verify that user's email address(s).<BR/><BR/>The more I think about it, I think our two proposals are saying and doing the same thing, except that you are also advocating that an email-address be treated as a "native" (or 1st-Class) OpenID, whereas I am advocating that email-addresses merely "map" to an OpenID. <BR/><BR/>Regardless of how we answer that question, I think email-address verification could work the same for both of our proposals.<BR/><BR/>(Now we just need to figure out if email-addresses should be 1st or 2nd-class OpenID citizens, but that's a different arguement, I think).Davidhttp://www.blogger.com/profile/06849597678558006899noreply@blogger.comtag:blogger.com,1999:blog-4330666749808011734.post-20530966032327198262008-10-24T16:04:15.973-07:002008-10-24T16:04:15.973-07:00I also recently posted <A HREF="http://community.livejournal.com/apparentlymart/18123.html" REL="nofollow">an entry on this subject</A>, though yours is far more thoughrough and I like the idea of using the word "verification" to distinguish between this and actually proving a user can recieve mail at the address.<BR/><BR/>I find it interesting that your proposal requires the RP to ask for both an "OpenID Identifier" (which you imply must be a HTTP URL) and an email address, and you then prove that the email address maps to the OpenID identifier.<BR/><BR/>The model I'm imagining collapses this all into a single step: you ask the user for the email address at the outset, and then use <I>that</I> as the OpenID Identifier. OpenID can actually be used with any URI scheme for which a discovery mechanism is defined -- it supports XRI as well as HTTP, for example -- so we can simply define the discovery process for email addresses as "use EAUT to get an HTTP URL and do HTTP discovery as per the OpenID 2.0 specification". After you do this, everything else "just works", and your "primary key" at the RP is your email address.Martinhttp://mart.degeneration.co.uk/noreply@blogger.com