On Mon, Sep 20, 2010 at 2:06 PM, Maciej Piechotka
On Sun, 2010-09-19 at 17:12 +0200, Michael Snoyman wrote:
Let me respond to this directly since a number of people have brought this up:
Due to spam reasons we can't trust the email given via an OpenID provider in general. For example, it would be trivial for me to create an OpenID provider for myself, set my email address as
and essentially spam them. By going with a service like Facebook or Google, we know (or at least assume) that they do proper email validation, so we could immediately accept this value without needing to verify it ourselves.
In other words: Yes, I know there are extensions to OpenID. And no, we can't use it to get a verified email address.
Michael
There are people who for whatever reason don't use Facebook/Google/.... And sending verification e-mail costs practically nothing.
Regards
PS. If we have on-site registration it would have unverified e-mail as well.
From my original email:
* Username/password on the site. But who wants to deal with *another* password? * OpenID. Fixes the extra password problem, but doesn't give us any extra information about the user (email address, etc). * Facebook/Twitter/Google: We get the users email address, but do we *really* want to force users to have one of those accounts? I disagree with the sentiment of "sending a verification e-mail costs practically nothing". While *sending* it is cheap, we then need to wait for users to respond to it. Compare this with a Google/Facebook login scenario, where they click a button on our site, click approve on Google/Facebook, and are completely approved. Michael