Tags: openid
A proposal: email to URL mapping
Background
People have different identifiers, of different security, that they give out depending on how much they trust you. Examples might include:
It's also possible to do a <a href="mailto:me@example.com" rel="me"> to an email address, making a one-way claim that you own an email address. But how do you make a rel="me" back from the email address to a URL, completing the cycle?
Another problem people have been bringing up regularly is how to use an email address as an OpenID identifier. For this to work, you need to do service discovery on it to find out the O.
If you could map from email address to URL (going from a private identifier to a more public identifier), both problems are solved... the mapping from email to URL is the rel="me" link, and the pointed-to-URL can then be used for any URL-like purpose:
So....
How to map from an email to a URL?
I propose:
Given, say, bradfitz@my-email-service.com, you do Yadis capabilty discovery on my-email-service.com, looking in the resultant XRDS service document for a capability of type, say, "http://schemas.net/2008/email-to-url/", and the resultant endpoint which speaks that capability protocol. Here's an example document (retrieved via Yadis, which means sending HTTP Accept: header of right mime type and getting it immediately, or looking at link from <head>):
The 2008/email-to-url capability endpoint (email2url_mapper.cgi, in this example), then speaks this "protocol":
FAQ:
Why the Yadis indirection?
That's what Yadis is for. Discovery capabilities of an endpoint. This is exactly how OpenID works. There are libraries for it. Yadis discovery is cached. In practice, this step won't cost.
Privacy! Stealing my email addresses!
No, you start with the email address. You already have it. It's up to the user to determine if they want a public URL (presumably more public than their email address) attached to their email address.
Why not use $X?
What's X? I'm not aware of anything else. (Except for something I saw recently which was tied to OpenID and was pattern-based)
Why not pattern-based?
I want to tell, say, hotmail.com that my URL is http://bradfitz.com/, not MSN Spaces, or whatever hotmail.com might choose for a static username-to-URL mapping. It needs to be a dynamic lookup, not a published pattern.
Why not tie this to OpenID?
Layering violation.
Caching?
The 302 could include an expires header.
But only the dorks would support this.
Maybe, but that's how it always starts. Maybe we could get some big email providers to do this too. Imagine a tab in your favorite Big3/Big4's email options which says:
The end
Discuss?
People have different identifiers, of different security, that they give out depending on how much they trust you. Examples might include:
- Homepage URL (very public)
- Email address (little bit more secret)
- Mobile phone number (perhaps pretty secretive)
It's also possible to do a <a href="mailto:me@example.com" rel="me"> to an email address, making a one-way claim that you own an email address. But how do you make a rel="me" back from the email address to a URL, completing the cycle?
Another problem people have been bringing up regularly is how to use an email address as an OpenID identifier. For this to work, you need to do service discovery on it to find out the O.
If you could map from email address to URL (going from a private identifier to a more public identifier), both problems are solved... the mapping from email to URL is the rel="me" link, and the pointed-to-URL can then be used for any URL-like purpose:
- Being an OpenID identifier
- hosting an hCard
- Pointing to another Yadis service type (OAuth-protected friends/contact server)
So....
How to map from an email to a URL?
I propose:
Given, say, bradfitz@my-email-service.com, you do Yadis capabilty discovery on my-email-service.com, looking in the resultant XRDS service document for a capability of type, say, "http://schemas.net/2008/email-to-url/", and the resultant endpoint which speaks that capability protocol. Here's an example document (retrieved via Yadis, which means sending HTTP Accept: header of right mime type and getting it immediately, or looking at link from <head>):
<?xml version="1.0" encoding="UTF-8"?>
<!-- Sample YADIS XRDS file -->
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://schemas.net/2008/email-to-url/</Type>
<URI>http://apis.my-email-service.com/email2url_mapper.cgi</URI>
</Service>
</XRD>
</xrds:XRDS>
The 2008/email-to-url capability endpoint (email2url_mapper.cgi, in this example), then speaks this "protocol":
That's about it.GET /email2url_mapper.cgi?email=bradfitz@my-email-service.com HTTP/1.1 Host: apis.my-email-service.com HTTP/1.1 302 Found Location: http://bradfitz.com/
FAQ:
Why the Yadis indirection?
That's what Yadis is for. Discovery capabilities of an endpoint. This is exactly how OpenID works. There are libraries for it. Yadis discovery is cached. In practice, this step won't cost.
Privacy! Stealing my email addresses!
No, you start with the email address. You already have it. It's up to the user to determine if they want a public URL (presumably more public than their email address) attached to their email address.
Why not use $X?
What's X? I'm not aware of anything else. (Except for something I saw recently which was tied to OpenID and was pattern-based)
Why not pattern-based?
I want to tell, say, hotmail.com that my URL is http://bradfitz.com/, not MSN Spaces, or whatever hotmail.com might choose for a static username-to-URL mapping. It needs to be a dynamic lookup, not a published pattern.
Why not tie this to OpenID?
Layering violation.
Caching?
The 302 could include an expires header.
But only the dorks would support this.
Maybe, but that's how it always starts. Maybe we could get some big email providers to do this too. Imagine a tab in your favorite Big3/Big4's email options which says:
Your public URL: [___________________________]
(This is the web URL that will be given out to anybody with your email address.)
The end
Discuss?
It's looking to be a fun year...
Yahoo does OpenID...
http://openid.yahoo.com/
Blogger does OpenID... (including RP)
http://bloggerindraft.blogspot.com/2007/11/new-feature-openid-commenting.html
http://bloggerindraft.blogspot.com/2008/01/new-feature-blogger-as-openid-provider.html
AOL/AIM speaking XMPP!?!
http://florianjensen.com/2008/01/17/aol-adopting-xmpp-aka-jabber/
What's next, dogs and cats living together?
Craziness.
http://openid.yahoo.com/
Blogger does OpenID... (including RP)
http://bloggerindraft.blogspot.com/2007/11/new-feature-openid-commenting.html
http://bloggerindraft.blogspot.com/2008/01/new-feature-blogger-as-openid-provider.html
AOL/AIM speaking XMPP!?!
http://florianjensen.com/2008/01/17/aol-adopting-xmpp-aka-jabber/
What's next, dogs and cats living together?
Craziness.
Yahoo and OpenID?
Looks like Yahoo's up to something with OpenID:
http://www.readwriteweb.com/archives/flickr_to_authenticate_openid.php
... I can't wait to see what! :-)
http://www.readwriteweb.com/archives/flickr_to_authenticate_openid.php
... I can't wait to see what! :-)
OpenID commenting launched in Blogger
Awww, I love how Eric's all about using me as the example in this blog post, announcing OpenID commenting being officially launched on Blogger:
http://buzz.blogger.com/2007/12/openid-commenting.html
http://buzz.blogger.com/2007/12/openid-commenting.html
Blogger + OpenID
Check it:
http://bloggerindraft.blogspot.com/2007/11/new-feature-openid-commenting.html
Hell yeah.
(Oh, and in case you thought I was implying this was my work... let me dispel that right away. I had like almost zero to do with this. But flattered by Eric Case mentioning me in the announcement post!)
http://bloggerindraft.blogspot.com/2007/11/new-feature-openid-commenting.html
Hell yeah.
(Oh, and in case you thought I was implying this was my work... let me dispel that right away. I had like almost zero to do with this. But flattered by Eric Case mentioning me in the announcement post!)
Thoughts on the Social Graph
I wrote a huge post that grew too long for a blog post, and put it here:
http://bradfitz.com/social-graph-problem/
Comments welcome!
http://bradfitz.com/social-graph-problem/
Comments welcome!
Give me cred
Sun & OpenID
This is good for OpenID...
Sun just pre-announced their OpenID IP Non-Assertion Covenant, saying very clearly and strongly that they won't assert any patent claims against anybody implementing OpenID, as long as said person/company doesn't assert any patents against any other OpenID implementation (not just against Sun). And also said they don't necessarily have any relevant patent claims. etc, etc.
The official legalese (going up on their website soon) is actually very readable. Thanks, Sun!
Basically big company making public statement that OpenID is safe and preventing anybody from suing anybody.
Patent cold war == good thing (considering current patent situation).
( Collapse )
Sun just pre-announced their OpenID IP Non-Assertion Covenant, saying very clearly and strongly that they won't assert any patent claims against anybody implementing OpenID, as long as said person/company doesn't assert any patents against any other OpenID implementation (not just against Sun). And also said they don't necessarily have any relevant patent claims. etc, etc.
The official legalese (going up on their website soon) is actually very readable. Thanks, Sun!
Basically big company making public statement that OpenID is safe and preventing anybody from suing anybody.
Patent cold war == good thing (considering current patent situation).
( Collapse )
AOL supporting OpenID
Yes, friends, AOL is now supporting OpenID.
I figured I'd better say something so everybody stops spamming me about it. :-)
Microsoft, AOL, Verisign, Symantec, .... anybody else I'm forgetting? Good times.
I figured I'd better say something so everybody stops spamming me about it. :-)
Microsoft, AOL, Verisign, Symantec, .... anybody else I'm forgetting? Good times.