OpenID 2.0 Directed Identity and Emails

A couple of days ago I’ve talked with Eran Hammer-Lahav about an idea I had regarding his post about using Emails as OpenID identifiers.

During the talk another sub-idea came into light in regards to OpenID 2.0 Directed Identity and Emails. While I’m not sure if this has been discussed before (I didn’t have much time to go through old posts on the OpenID mailinglist yet) I thought about bringing it up here.

Directed Identity is a feature that allows a user to enter the domain in which his/her identity resides. This means that if I want to use my OpenID login at some site instead of entering the whole URL to my exact identity, I can simply put the domain name of my OpenID provider.

My provider will figure out all the rest including how to direct me back to the right site after I correctly login.

Yahoo’s implementation of OpenID 2.0 supports directed identities. At their OpenID site, they are educating users to write just “yahoo.com” instead of a full blown long URL to their profiles.

With a small change, a user can use his/her Email address to use directed identity, after all, users already knows how to enter an Email address in most sites to sign-in/up.

In the case of Yahoo, instead of entering “yahoo.com” to use directed identity, why not put your whole Email “myemail@yahoo.com”. The consumer OpenID implementation can simply cut off the domain name from the Email and use directed identity for the rest of the process.

I’m sure a lot of Yahoo users will find that entering their Email more natural and easier to comprehend than to figure out they should put the domain name.

The benefits for this idea is in its implementation. Providers that support OpenID 2.0 doesn’t need to do anything. The real change here is in the OpenID consumer libraries that supports OpenID 2.0. The consumer libraries only needs to use a simple regex to extract the domain name from the Email.

Do you know if this idea was previously suggested?

Do you think its applicable?

I certainly think it can make it easier for everyone and I’m thinking here in mother terms. I know my mother knows her Email and knows how to sign in to sites with it. I’m quite sure she has little understand as to what a URL is, what’s its syntax and why she would need to use it.

11 thoughts on “OpenID 2.0 Directed Identity and Emails”

  1. Thanks for the reference Carsten.

    I’ll take a look at that, although my offer described above still stands regardless of how Yahoo! has implemented the Directed Identity :-)

  2. Honestly, if e-mails were used for OpenID…I for one, would never use OpenID. I’d be too concerned that spammers would be easily able to grab my e-mail. Whereas with the way OpenID currently is, I don’t even have to think about spammers. Sure, my e-mail can be sent through…but it doesn’t have to be a completely accurate one or I can avoid having the e-mail sent with my identity. On top of that, if I change e-mail addresses at some point…I’m still the same identity (according to the way OpenID works right now).

  3. Devon, I’m not saying that URLs shouldn’t be used. Its just going to be harder for most people to figure out how to use them instead of the Emails.

    Regarding spammers, what I suggested can only be used wrongfully by spammers in a scenario where they produce a fake login screen, in other places the OpenID consumer library simply needs to cut out the domain part and use it.

    Regarding spam in general, I think Gmail and other such services do a relatively good job in fighting spam even if your address is fully published, so I don’t think that should be take into account too deeply.

    Regarding the ability to change Email, you are correct. But its no than a way in which you change your URL.

  4. “Regarding spammers, what I suggested can only be used wrongfully by spammers in a scenario where they produce a fake login screen, […]”

    Technically, this is incorrect. The spammer doesn’t have to produce a “fake login screen”. The spammer only has to run a Relying Party (a consuming website) that asks you to log in with your OpenID. And then when people enter their e-mail address, the spammer takes it and runs. At that point they can even error out something about your provider being down (even if it isn’t).
    At that point, they have your e-mail address because you submitted it to their site.

  5. If they have your Email address why is it different than having your OpenID URL which usually contains part of your username.
    They can then try to work through your SP to try and break the password, the same way they would do with your email.

    Regarding a spammer having your Email, I know it isn’t bullet proof and you need to educate people about figuring out what spam and what’s ham but the point is that most Email providers (Gmail, Yahoo, Hotmail) have relatively good spam filters which can reduce that problem.

    This is, by no means, a way to avoid good education as to what not send your personal details or password etc, of course.

Leave a Reply