OpenID 2.0 Directed Identity and Emails

January 27, 2008

A couple of days ago I’ve talked with Eran Hammer-Lahav about an idea I had regarding his post about using Emails as OpenID identifiers.

During the talk another sub-idea came into light in regards to OpenID 2.0 Directed Identity and Emails. While I’m not sure if this has been discussed before (I didn’t have much time to go through old posts on the OpenID mailinglist yet) I thought about bringing it up here.

Directed Identity is a feature that allows a user to enter the domain in which his/her identity resides. This means that if I want to use my OpenID login at some site instead of entering the whole URL to my exact identity, I can simply put the domain name of my OpenID provider.

My provider will figure out all the rest including how to direct me back to the right site after I correctly login.

Yahoo’s implementation of OpenID 2.0 supports directed identities. At their OpenID site, they are educating users to write just “yahoo.com” instead of a full blown long URL to their profiles.

With a small change, a user can use his/her Email address to use directed identity, after all, users already knows how to enter an Email address in most sites to sign-in/up.

In the case of Yahoo, instead of entering “yahoo.com” to use directed identity, why not put your whole Email “myemail@yahoo.com”. The consumer OpenID implementation can simply cut off the domain name from the Email and use directed identity for the rest of the process.

I’m sure a lot of Yahoo users will find that entering their Email more natural and easier to comprehend than to figure out they should put the domain name.

The benefits for this idea is in its implementation. Providers that support OpenID 2.0 doesn’t need to do anything. The real change here is in the OpenID consumer libraries that supports OpenID 2.0. The consumer libraries only needs to use a simple regex to extract the domain name from the Email.

Do you know if this idea was previously suggested?

Do you think its applicable?

I certainly think it can make it easier for everyone and I’m thinking here in mother terms. I know my mother knows her Email and knows how to sign in to sites with it. I’m quite sure she has little understand as to what a URL is, what’s its syntax and why she would need to use it.

Be Sociable, Share!

tags: , , , ,
posted in OpenID, Thoughts, Yahoo by Eran Sandler

Follow comments via the RSS Feed | Leave a comment | Trackback URL

  • http://www.notsorelevant.com

    It seems like Yahoo! is not really supporting Directed Identity as it is usually understood. It has been discussed on the OpenID mailing list recently (http://openid.net/pipermail/general/2008-January/003972.html). I recommend reading the whole thread, though.

  • http://eran.sandler.co.il Eran

    Thanks for the reference Carsten.

    I’ll take a look at that, although my offer described above still stands regardless of how Yahoo! has implemented the Directed Identity :-)

  • http://www.notsorelevant.com

    That’s right, of course. :)

  • http://devonyoung.com/ Devon Young

    Honestly, if e-mails were used for OpenID…I for one, would never use OpenID. I’d be too concerned that spammers would be easily able to grab my e-mail. Whereas with the way OpenID currently is, I don’t even have to think about spammers. Sure, my e-mail can be sent through…but it doesn’t have to be a completely accurate one or I can avoid having the e-mail sent with my identity. On top of that, if I change e-mail addresses at some point…I’m still the same identity (according to the way OpenID works right now).

  • http://eran.sandler.co.il Eran

    Devon, I’m not saying that URLs shouldn’t be used. Its just going to be harder for most people to figure out how to use them instead of the Emails.

    Regarding spammers, what I suggested can only be used wrongfully by spammers in a scenario where they produce a fake login screen, in other places the OpenID consumer library simply needs to cut out the domain part and use it.

    Regarding spam in general, I think Gmail and other such services do a relatively good job in fighting spam even if your address is fully published, so I don’t think that should be take into account too deeply.

    Regarding the ability to change Email, you are correct. But its no than a way in which you change your URL.

  • http://eran.sandler.co.il Eran

    If they have your Email address why is it different than having your OpenID URL which usually contains part of your username.
    They can then try to work through your SP to try and break the password, the same way they would do with your email.

    Regarding a spammer having your Email, I know it isn’t bullet proof and you need to educate people about figuring out what spam and what’s ham but the point is that most Email providers (Gmail, Yahoo, Hotmail) have relatively good spam filters which can reduce that problem.

    This is, by no means, a way to avoid good education as to what not send your personal details or password etc, of course.

  • http://collantes.us/ David Collantes

    Your OpenID implementation here isn’t working.

  • http://eran.sandler.co.il Eran Sandler

    David, thanks for the update. I need to install the latest openid plugin and upgrade the blog. Mine is rather old…

    Eran

  • http://aldrik.net/ aldrik.net/

    For me OpenID works fine here

  • http://simmeon.co.uk Simmeon

    OpenID may not be as secure as first anticipated. I got hacked so am not using it anymore.

Switch to our mobile site

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org