Feedback for "OpenIDNS"

So on Saturday I finally got around to documenting an idea I have had for a long time to find a way to make OpenID a more grokable concept for the average less technical user. On Sunday someone wrote a spec. And now feedback is coming in. There are a number of people who support the concept, but I think it is the objections that are more interesting and more salient to addressing the concerns of others.

About asking for an email address or "OpenID": If I give someone a URL, the worst that can happen is that they don't visit my site. If I hand someone a working email address, I run the risk of receiving more spam. [Bart Schuller]

A valid point. Sincerely. Spam is a risk. But allow me to give you my gut reaction to this - which I doubt will be popular. My gut says that we must all dispense with the notion that any email in the world is immune from spam. That there is virtually no way to keep an email private, by virtue of the fact that email by its very nature is public. So if we concede to that fact, then who cares who you give the email to? You are as likely to receive as much spam with a "secret" email address as you are with a public one.

Ok, now I will let reason speak for me. Spam is a serious concern here, and this is certainly the weakest point in the proposal. Perhaps someone with more knowledge of the inner-workings of SMTP can elucidate how it could be made more secure, or what options implementors have in locking their systems down?

I fear that extending SMTP will be impractical for many potential OpenID identity providers. Even if you could get packages like the Postfix MTA to adopt the extension, there are many more proprietary MTAs that would never do so.

This is my concern as well to be honest. I don't have a lot of personal experience or knowledge about extending SMTP implementations, but I sense that I a lot of people simply install Sendmail and Postfix and upgrade only when they upgrade their OS. They are not products that seem to have a vibrant extension mechanism that users like to exploit.

But what I like about SMTP is that it is inherently distributed, just like OpenID. In this way, SMTP is the perfect mate for this idea, because a non-centralized system is simply easier to trust because it is easier for actors to exert control over their identity within their system.

Finally, the goal here would not be to extend Sendmail or Postfix, but to get Google, Yahoo or Microsoft to adopt the protocol so that Hotmail, Gmail and MSN email addresses can all be used to login via an OpenID client. And given the simplicity of the protocol and that those are relatively closed systems I don't think it is unrealistic for them to do so. It will only promote their products as a trusted identity source even more. And who wouldn't want that?

I think you're right when you say that the average person thinks of an email address before thinking of a URL. But a lot of people are also using IM nicknames or forum usernames to refer to someone on the internet. [Antoine Imbert]

I come back to the lofty goal of making OpenID something our moms could use. I don't know about your mom, but my mom doesn't have an IM account much less know what the hell IM is. That being said, it should also be pointed out that most people's IM addresses are also email addresses (and vice versa). By Gmail email address is also my gTalk IM address. Same for my AIM address.

For that reason I think IM addresses are a very interesting idea. We should explore what an OpenID extension for XMPP or some equivalent might look like.

Reese, it seems, feels the hoi-polloi are too dumb to understand a URL/URI/XRI and need the "comfort" of an email address to use OpenID. The fact that most of the creators of the various parts of OpenID specifically rejected email address as an identifier seems to play no part in the discussion. [Dave Kearns]

I posted a lengthy response on Dave's blog, but what I meant to reiterate is that I am not advocating the replacement of URLs as identifiers, but rather for a way for other identifiers to be used in place of a URL so that the protocol can fit into whatever pre-existing mental models around identity already exist.

Dave suggests that I am being lazy by not taking on the challenge of educating people about OpenID and using URLs as identifiers. Perhaps I am, and in fact if we could achieve that goal of educating everyone about the use of URLs as identifiers I would be a happy, happy man - in my own geeky way. But the hurdles with and the level of effort associated with educating the entire Internet population about a new identity paradigm seems folly.

Remember, this is about lowering the barriers to adoption, not raising them.

3 Comments

Let's say it once, and let's say it together. Use e-mail address.

Go for adoption (VHS), not "technical excellence" (BetaMAX). I would be very interested in reading the divine dialogue against e-mail address in Open ID. Yes, URL lends to ease of adoption for the service provider, but what about the consumer? Telephone numbers and e-mail addresses are the only two universal-identifiers that have stood the test of space and time. How about using the one of them?

I found this somewat useful, thank you either way, awesome post

It's my favorite music group, I absolutely enjoy everything they make so far, but the first albums remains some of the greatest for me

Leave a comment

what will you say?


Recent Comments

  • It's my favorite music group, I absolutely enjoy everything they make so far, but the first albums remains some of the greatest for me ...

  • I found this somewat useful, thank you either way, awesome post ...

  • Let's say it once, and let's say it together. Use e-mail address. Go for adoption (VHS), not "technical excellence" (BetaMAX). I would be very interested in reading the divine dialogue against e-mail address in Open ID....

Close