Re: Yahoo available AX attrs

[Joseph A Holsten]

+1 low hanging fruit. Would be harder to do it for just email and  
generalize later.

Wondering what the birth date equivalent of i-am-the-postmaster is.  
All my whuffie for i-am-their-mother-i-was-there.
--
j
On Dec 8, 2009, at 12:00 PM, Paul Madsen wrote:

Is the plan to ensure that whatever mechanism is defined to express  
'verified' for an email address will be applicable for other  
attributes, e.g. birth date etc

Paul

Brian Kissel wrote:

+1.  As Allen has said before, and many RPs have confirmed, a  
verified email address with the attributes he's recommending allow  
RPs to remove a very problematic step in their workflow where the  
user has to get an email from the RP then click on it to "verify"  
the address before enabling an account.  There are non-trivial  
registration losses in this workflow when those verification emails  
go to spam folders or users just forget to click the link.   
Delivering a verified email let's RPs register a user in real time  
eliminating this step in the workflow.  This gets higher  
registrations and instantaneous access and gratification to the user.

Cheers,

Brian
___________

Brian Kissel
CEO, JanRain - WebID and Social Publishing for User Engagement
Email: bkis...@janrain.com     Cell: 503.866.4424     Fax:  
503.296.5502


-----Original Message-----
From: openid-specs-boun...@lists.openid.net [mailto:openid-specs-boun...@lists.openid.net 
] On Behalf Of Joseph A Holsten
Sent: Tuesday, December 08, 2009 1:57 AM
To: Allen Tom
Cc: openid-specs@lists.openid.net
Subject: Re: Yahoo available AX attrs

I understand the desire to say that the email is verified, but it
strikes me as a bit like the urgent priority field in email. "No  
email
provided" vs "This is the user's email" vs "This is Really the User's
Email and I Mean It". Unless it means "This is the user's email, I've
done due diligence, and you can hold me legally liable." Everything
else boils down to understanding what the OP means when they make an
assertion.

If you really want a verified flag/timestamp/zero-knowledge-proof,
perhaps you have a better idea about the interaction flow when things
aren't verified to 100% certainty. Would the OP require the user to
verify their email before allowing them to authenticate? Leave it up
to the RP to verify? What if the OP says they're certain but the RP
doesn't actually trust them? What happens when the OP says they've
verified, but not 100% certain? Do you expect different RPs to make
different decisions in these circumstances? How would they choose?

I'm assuming we're not talking about RPs that have a significant
legal / medical / financial interest in accurate assertions, because
that's legal liability / consent / know your customer and you'll need
more than a timestamp+i-mean-it for that.
--
j

On Dec 7, 2009, at 10:36 PM, Allen Tom wrote:


I'd recommend using a timestamp indicating when it was last
verified, with a special value to indicate that the OP is also the
email provider and has 100% certainty. (perhaps just setting the
verification time==now is sufficient)

Allen


On 12/7/09 8:29 PM, "Chris Messina" <chris.mess...@gmail.com> wrote:


Sounds like something to add to PoCo... perhaps something as simple
as a "verified" boolean added to email addresses?

http://portablecontacts.net/draft-schema.html#anchor4

Chris

On Mon, Dec 7, 2009 at 8:25 PM, Brian Kissel <bkis...@janrain.com>
wrote:

+1 on email address metadata, many RPs definitely want this.

Cheers,

Brian
___________

Brian Kissel
CEO, JanRain - WebID and Social Publishing for User Engagement
Email: bkis...@janrain.com     Cell: 503.866.4424     Fax:
503.296.5502


-----Original Message-----
From: openid-specs-boun...@lists.openid.net 
[mailto:openid-specs-boun...@lists.openid.net
] On Behalf Of Allen Tom
Sent: Monday, December 07, 2009 7:46 PM
To: Peter Watkins; Chris Obdam; openid-specs@lists.openid.net
Subject: Re: Yahoo available AX attrs

Oops - I clicked send too early.

The bad UX with AX is the security warning that most browsers
display when
POSTing a form from HTTPS to HTTP, which is the case when the
Yahoo OP
returns a lot of attributes. AX attribute names are excessively
long, so
it's very likely that using different attribute names for first/
last/middle
name will cause the response to be returned via POST. (2KB is the
cutoff
point)

With regards to email address - unless we're 100% sure about the
email
address, we'd like to return metadata about the email address.
Specifically,
we'd like to indicate whether or not the email address was
verified, and if
so, when it was verified. This is definitely something that we'd
like to get
in to AX 2.0.

Allen



On 12/7/09 7:39 PM, "Allen Tom" <a...@yahoo-inc.com> wrote:


It definitely makes sense to use different attributes for

givennanme/surname

so that RPs don't have to parse the string, and a few other RPs

have also

asked for it.  Our initial goal for our AX implementation was

just to match

SREG, and SREG only has a single openid.sreg.fullname attribute.

We'll add support for separate first/last/middle/suffix

attributes in a

followup release - probably early next year. I do hope that

we're able to

standardize the attribute names, and also keep them short and

compact. If you

ask for all our supported attributes, the response will exceed

2KB, which

requires that the response is returned via POST, causing a

really bad UX.

With regards to email address - we'd like to be able to return

metadata about

the email address w



On 12/7/09 7:25 AM, "Peter Watkins" <pet...@tux.org> wrote:


On Mon, Dec 07, 2009 at 09:16:46AM +0100, Chris Obdam wrote:

Chris (Obdam)  - which additional attributes would you like

to see

available? The attributes that we'll be adding early next

year will include

Yahoo Profile URL and account creation date. A bunch of

people have asked

for Flickr Photos URL and Upcoming Profile URL, so we'll

probably get

around
to adding those too.

I would like to access every attr specified in de AXschema? :-)

In my Yahoo profile i have provided my address (home and

work). I would like

to use those in a sign form somewhere else.
Same goes for my phone numbers.

So would I. One of the simpler goals of our Single Sign On is

prepopulating

form fields; having postal address and phone number would be a

help.

I'd also like to see First and Last names available as separate

attributes,

otherwise we're trying to intelligently split both "Mary Jane

Parker" and

"Malcom Mac Murray".

Also I would prefer that you give us the user's *primary* email

address. In

my Yahoo profile, my Yahoo email address is flagged as "Share

with no one"

and I have a different email address flagged as primary, but

your AX sends

my yahoo email address. That's bad from usability in part

because I very,

very seldom check my Yahoo email inbox.

The Yahoo website attribute would also be nice to have; as we

start

building more "social" features on our sites, it would be nice

to make

it easier for our users to share links to their primary web

presences,

although I can understand if Yahoo management prefers to only

expose the

Profile URL for business reasons.

Thanks,

Peter


_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs


_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs


_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs



_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs