Why e-mail validation when using OpenIDs?


(Johny Woller Skovdal) #1

Is there something I’m missing with OpenIDs, or shouldn’t you be sure that the e-mail is valid if I, for instance, create my account by using the Google login? I was just wondering why I had to confirm the account?


(Valts) #2

I think it’s because you can create your own OpenID provider too, and make it return whatever data you want. So having a valid OpenID doesn’t really mean that the data from it is trustworthy. You can basically only use it to determine that the person who is logging on is the same person who logged on yesterday.


(Johny Woller Skovdal) #3

Yeah, but aren’t there trusted providers? I mean, can’t we see that the OpenID provider is Google, and be sure that they only provide valid e-mail adresses?


(Endy Tjahjono) #4

Interesting article about it:
http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened

From the article: if for some reason the OpenID provider change the hashing mechanism, if you only have that hash to identify your user, you are screwed.


(Johny Woller Skovdal) #5

Not exactly about what I was saying. I was wondering why you have to verify an e-mail that is supplied by a trusted OpenID provider? :slight_smile: Interesting article though.


(Endy Tjahjono) #6

He mentioned that there was a time Google changed the email address of UK users from gmail.com to googlemail.com.


(Johny Woller Skovdal) #7

Well wasn’t both working? That’s how I remember it at least?


(Endy Tjahjono) #8

That, I don’t have the answer :slight_smile:


(Jeff Atwood) #9

The TL;DR is this:

IDENTITY = EMAIL

Remember that Stack Overflow was rather unique in that we did not care, at all, about your email address. Ever. Can you name one other major site on the Internet that also does not care about your email when signing up …? Because I can’t.

If the OpenID provider does not validate email – e.g. in the case of Google they usually are your email – then they aren’t valid to us as identity providers.

There might be some way of whitelisting certain OpenID providers that do validate email, but otherwise we’d have to validate email after signup, which feels kind of pointless.


About the idea: IDENTITY = EMAIL
About the idea: IDENTITY = EMAIL
(Patrick Westerhoff) #11

Seconded. Persona gives you a verified email address, so if someone logs in through Persona, you know that you can safely use that email address.


(skomorokh) #12

You identify with reputation not physical individuals

You can basically only use it to determine that the person who is logging on is the same person who logged on yesterday.

Isn’t that all you’re validating anyway with an email address? Anyone can receive an email. Or set up a mail server. And I hope it stays that way. It’s not EMAIL=IDENITY it’s HISTORY = IDENTITY. You validate the continuity. You don’t associate with a person, you associate with a reputation.

Because that’s about as good as you can do

BrowserID/Persona also allows you to set up your own identity server. Also good. The alternative is to designate a small number of arbiters of who constitutes a valid person entitled to communicate on the Internet. Even if you decide that is a wise idea (it’s not) you would of course have to drop support for creating an account with an email address. And your central identity authorities would have to stringent verification to ensure only real people get accounts and only one apiece. For that to truly happen we’d have to have stronger birth certificates too.

And you need to do something, mainly as a key

If you want to disambiguate users across sites you can’t trust someone claiming to have an email via OpenID. Simply don’t use email for that! You can merge users based on what keys you know. If you want to just store one key, prefix it with a type openid:, email:, oauth:, whatever.

Another concern is spam. But is that so intractable? Put in a hashcash type thing or two, throw an image recognition problem (one easy for humans like “is this a dog” rather than “decipher and type this awkward set of characters”), maybe trip it up with a stealthed form field or two or use keystroke timing, etc. etc. etc. Any of these is at least as much of a hurdle as requiring an email if not more. And the few determined ones that get through that are probably going to be no higher volume than the junk or abusive posts of real folk.


(Patrick Westerhoff) #13

OpenID or Persona, or whatever else, is an authentication system. It assures that the identity actually belongs to the person that is authenticating.

It doesn’t matter if you can set up an own OpenID or Browser ID server; you are only using that service to perform the authentication. So once an account is set up with it, you can reuse it again, to ensure that the same identity is used. So yes, you would use the continuity here. If the identification server is flawed, for example it is set up to return the same identity for everyone, then that’s a problem of the identify provider, not the consumer (here: Discourse).

The email address—and here I disagree with @codinghorror—is not the identity. It is merely an asset that is attached to the identity which is valuable for the purpose of this site. As the authentication systems do not provide a validated email address, that is an email address that is actually in control by the authenticating user, Discourse needs to do that on their own behalf. This is actually a flaw with OpenID, which is not the case for Persona, which indeed follows the equation email address = identity.


(Jeff Atwood) #14

I have more scars than almost anyone on identity through setting up Stack Overflow. And the one thing I learned, that I believe to be deeply true to the very core of my being, is that identity = email.

Because when you forget your credentials or your password, how do you recover them? 100% of the time the answer is email.

That’s because email = identity…


(Patrick Westerhoff) #15

Sorry, maybe I wasn’t too clear about it; I don’t disagree with using the email address as the identity at all; that’s why I personally like Persona/BrowserID and the idea behind it a lot.

It’s just that when using OpenID, this is not the case, so to have this equality you need to do further stuff that is not already provided by OpenID (hence the email verification here).


(Jeff Atwood) #16