It’s just data

Email addresses your OpenID via DNS

Bernie Reese: this is exactly was OpenID needs: Open iDNS, or “Open Id Domain Name System.” This service would work just like DNS, and would map email addresses to an OpenID provider designated by the owner.

Looking at Jabber recently caused me to see this prior discussion in a new light.  With Google Talk, one’s gmail.com email-style address is one’s identity.  I just created a second address, one without a gmail.com account behind it.  And Google Talk and GMail seem to be doing just fine.

Part of the problem is that the people working on OpenID are concerned about privacy, and the perception is that giving away an email address may be revealing too much.  But as email address can be minted at will, the user is still in full control.  And those that wish to can still use http flavor URIs, so nobody loses.

Another part of the problem is that the solution proposed required people to do real work, deploy real software in production, and have to deal with all of the counter-measures designed to stop spammers, etc.

Ironically DNS SRV records were dismissed prematurely:

Although big providers could easily adopt this, others (consumers, mostly) would have to make substantial efforts in order to adjust.  [Emphasis added]

Here’s a version of the consumer side of the code for a fully load balancing solution:

import DNS, sys, random
DNS.ParseResolvConf()

# resolve _xmpp-server per RFC 2782
for domain in sys.argv[1:]:

  # resolve the service
  request = DNS.Request(qtype='srv')
  response = request.req('_xmpp-server._tcp.%s.' % domain)
  services = [service['data'] for service in response.answers]

  # choose services with the highest priority
  services.sort()
  services = [service for service in services if service[0]==services[0][0]]

  # make a weighted choice amongst these services
  random.shuffle(services)
  choice = sum([service[1] for service in services]) * random.random()
  for service in services:
    choice -= service[1]
    if choice <= 0:
      print "%s:\t%s:%d" % (domain, service[-1], service[-2])
      break
  else:
    print "%s:\t<none>" % domain

Try it against gmail.com to see how it works.

DNS records are already distributed and cached, so after the first request there would be little to no noticeable latency.  The software is already deployed.  People could update SRV records without needing to wait for clients to be deployed, and clients could start checking for this without waiting for people to update SRV records.


What DNS library are you using? With my python-dns_2.3.1 I had to change line 10 to read services = [service['data'] for service in response.answers]

Posted by Beat Bolli at

That’s actually a typo in the example.  Fixed.  Thanks!

But, to answer your question, I’m using 2.3.0.

Posted by Sam Ruby at

Hey Sam. Would you mind updating my name? It is spelled incorrectly. :(

Posted by Byrne Reese at

Byrne: oops.  Sorry!  Fixed.

Posted by Sam Ruby at

The other problem is that some people in the OpenID crowd have their own idea of how to use the same identifier for emails, web logon, etc: i-Names.

Of course, the fact that some of these parties are selling i-Names for US$12 a year might have something to do with their support for this system.  It seems that many of the people without a financial interest in i-Names might be more interested in this.

Posted by James Henstridge at

Email addresses your OpenID via DNS . Sam Ruby has warmed to the idea of making e-mail addresses usable as OpenIDs via a DNS SRV record....

Excerpt from Simon Willison's Weblog at

Simon Willison : Email addresses your OpenID via DNS - Email addresses your OpenID DNS. Sam Ruby has warmed to the idea of making e-mail addresses usable as OpenIDs a DNS SRV record....

Excerpt from HotLinks - Level 1 at

Sam Ruby: Email addresses your OpenID via DNS

[link] [more]...

Excerpt from reddit.com: programming - newest submissions at

[Django][Python][jQuery][CSS][その他]巡回

Google Code: New: idjango これからに期待! :) videosoft Update: django-pantheon django-evolution deseb django-cms komercha clapton djangobrasil spini-portal django-generics Blog: [Django][django-registration] ユーザー認証をやってみる さくらインターネット...

Excerpt from 常山日記 at

Around the web in 80 days #23

Aizgājušās nedēļas, tās nogales un šīs dienas savāktais. Kosmix releases Google GFS workalike ‘KFS’ Pagaidām 0.1 alpha. Tiem, kam slinkums pašiem kaut ko domāt, veidot un darīt. Vērts ievērtēt arī Y! sponsorēto Hadoop. iPhone update:...

Excerpt from laacz here at

Around the web in 80 days #23

Aizg??ju????s ned????as, t??s nogales un ????s dienas sav??ktais. Kosmix releases Google GFS workalike ‘KFS’ Pagaid??m 0.1 alpha. Tiem, kam slinkums pa??iem kaut ko dom??t, veidot un dar??t. V??rts iev??rt??t ar?? Y! sponsor??to Hadoop. iPhone...

Excerpt from laacz here at

Monday Links - 2007-10-01

Hopefully back to my regular blogging schedule...Here’s some links to items I wanted to cover but didn’t have the time: Dave Winer on delivering a payload through Twitter e-mail addresses usable as OpenIDs ClaimID automatically adding XFN rel="me"...

Excerpt from View from W6th at

[from tmoertel] Sam Ruby: Email addresses your OpenID via DNS

[link]...

Excerpt from del.icio.us/network/coty at

It’s already more or less possible to query an OpenID via DNS but with a telephone number and a FOAF file containing the <foaf:openid/> element.

There exists ENUM (TElephone NUmber Mapping) which "is a suite of protocols to unify the telephone numbering system E.164 with the Internet addressing system DNS by using an indirect lookup method, to obtain NAPTR records".

An approximate example for +1 555 42 42 :

$ORIGIN 2.4.2.4.5.5.5.1.e164.arpa.
@ IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:phoneme@example.net!" .
@ IN NAPTR 102 10 "u" "E2U+mailto" "!^.*$!mailto:myemail@example.com!" .
@ IN NAPTR 102 10 "u" "E2U+xmpp" "!^.*$!xmpp:some-user@example.com!" .      
@ IN NAPTR 102 10 "u" "E2U+web:http" "!^.*$!http://example.net/!" .
@ IN NAPTR 102 10 "u" "E2U+ical" "!^.*$!http://example.com/calendars/!" .
@ IN NAPTR 102 10 "u" "E2U+vcard" "!^.*$!http://example.net/vcard.vcf!" .
etc.

By querying an ENUM number, it’s possible to access different type of resources, depending on the protocol supported by the user-agent.

For example, it’s possible to query a web page with an URI like enum:+16044845289 in the browser thanks to the num2web Firefox extension.

There’s a project called SEMNUM that aims to associate a phone number to a FOAF file ; for example :

$ORIGIN 1.0.1.1.1.1.5.5.5.0.8.7.3.4.e164.arpa.
@ IN NAPTR 100 10 "u" "E2U+foaf" !^.*$!http://foo.bar/foaf.rdf!" .

If a RFC was published, it would hence be possible to query an OpenID with a telephone number via DNS.

There are some privacy issues but it may be possible to use a private ENUM system.

Interestingly, a french mobile operator recently became an OpenID provider. If VoIP, mobile and landline carriers started to offer OpenID, using a (virtual) phone number as an alternative OpenID might become a usage.

Posted by kael at

random.shuffle(services) is not needed, surely?

Posted by Ben Laurie at

random.shuffle(services) is not needed, surely?

I believe it is.  Change the previous executable line to if service[0]==services[-1][0]] to see why — you will always get xmpp-server1.l.google.com:5269 instead of load balancing across the four provided domains.

Posted by Sam Ruby at

Usare l'indirizzo email come OpenID?

Sam Ruby ha recentemente riaperto il dibattito sul modo di utilizzare l’email come alternativa (si parla sempre di alternativa, non sostituto) al proprio URL OpenID . Prende spunto da un articolo vecchiotto che prendeva in considerazione, appunto,...

Excerpt from Il blog italiano su OpenID - Home at

I came across the Drupal authentication module which enables to use external credentials to log onto unknown sites and in particular to use a JabberID as a login.

This system is a great single sign-on one except it requires to enter the password on unknown sites.

A solution would be to use  the XEP-0070 - Verifying HTTP Requests via XMPP for a "password-less authentication, that [would use] your instant messenger identity to confirm your [JID]".

This system would solve the usability problem by using an email address-like ID with an apparently secured authentication mechanism.

And perhaps a way to delegate an OpenID to a JID could be formally defined as an OpenID extension, so that we could use our JID as an alternate OpenID.

Posted by kael at

As I just pointed at the (in Spanish) SMSAuth Project Wiki, there is a working OpenID via XEP-0070: the South African XMPP Federation OpenID Server.

It use a one time Transaction Identifier to validate that the request arriving from XMPP is not a hijacked one.

Posted by Santiago Gala at

Quick openid test. Please ignore

Posted by James Snell at

Announcing Emailtoid: mapping email addresses to OpenIDs

The other night at Beer and Blog in Portland, fellow Vidooper Michael T Richardson announced and launched a new service that I’m both excited and a little apprehensive about. The service is called Emailtoid, and while I prefer to pronounce is...

Excerpt from FactoryCity at

Usare l'indirizzo email come OpenID?

Sam Ruby ha recentemente riaperto il dibattito sul modo di utilizzare l’email come alternativa (si parla sempre di alternativa, non sostituto) al proprio URL OpenID . Prende spunto da un articolo vecchiotto che prendeva in considerazione, appunto,...

Excerpt from Il blog italiano su OpenID - Home at

Usare l’indirizzo email come OpenID?

Sam Ruby ha recentemente riaperto il dibattito sul modo di utilizzare l’email come alternativa (si parla sempre di alternativa, non sostituto) al proprio URL OpenID . Prende spunto da un articolo vecchiotto che prendeva in considerazione, appunto,...

Excerpt from OpenID Italia - Il blog at

Add your comment