tag:blogger.com,1999:blog-34275044.post2455295833209164819..comments2023-04-23T07:00:02.839-04:00Comments on Identity in Practice: Email Verification and Identity FederationGeorge Fletcherhttp://www.blogger.com/profile/12081110172957645007noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-34275044.post-32846106930305926402010-03-24T09:44:09.105-04:002010-03-24T09:44:09.105-04:00When it comes to meta-data about the "verifie...When it comes to meta-data about the "verified email address", I'm not sure it's really necessary (other than the distinction that an email is verified or not). The relying party (RP) is already depending on the identity provider to correctly authenticate the user. If the RP trusts the identity provider for authentication, then it seems likely it should also trust the provider for correctly specifying whether an email address is verified or not.<br /><br />The problem with just assuming that the OP that supports email will return the OP's email address is that webfinger allows for a level of indirection such that my XRD for my gmail address could point to AOL as my OP. In this case, it's likely that the email address the user entered won't be the same as the one the identity provider returns.<br /><br />[P.S. Sorry it took so long to get your comment posted.]George Fletcherhttps://www.blogger.com/profile/12081110172957645007noreply@blogger.comtag:blogger.com,1999:blog-34275044.post-85590645782008355212010-03-24T09:41:29.011-04:002010-03-24T09:41:29.011-04:00This comment has been removed by the author.George Fletcherhttps://www.blogger.com/profile/12081110172957645007noreply@blogger.comtag:blogger.com,1999:blog-34275044.post-73145444607082385982010-03-20T03:11:09.280-04:002010-03-20T03:11:09.280-04:00hmm when you start relying on some one else to do ...hmm when you start relying on some one else to do the email verification - doesn't that mean now the OP needs to provide email verification context along with the verified email ? Are there any fields being defined for that ? How and when the email has been verified for example. <br /><br />Also given that almost all email providers now support OpenID, isn't a successful OpenID login with the user entered email address good enough ? (Of course the OP needs to be same as Email Provider). Wouldn't that be better than relying on someone else to provide verified email as a user attribute (which raises the questions of when, how and if user is still the same owner)?Praveenhttps://www.blogger.com/profile/10778095038892167017noreply@blogger.com