[Haskell-cafe] Re: Unified Haskell login

Michael Snoyman michael at snoyman.com
Mon Sep 20 08:27:34 EDT 2010

On Mon, Sep 20, 2010 at 2:06 PM, Maciej Piechotka <uzytkownik2 at gmail.com> wrote:
> On Sun, 2010-09-19 at 17:12 +0200, Michael Snoyman wrote:
>> Let me respond to this directly since a number of people have brought
>> this up:
>> Due to spam reasons we can't trust the email given via an OpenID
>> provider in general. For example, it would be trivial for me to create
>> an OpenID provider for myself, set my email address as <insert someone
>> else's address here> and essentially spam them.
>> By going with a service like Facebook or Google, we know (or at least
>> assume) that they do proper email validation, so we could immediately
>> accept this value without needing to verify it ourselves.
>> In other words: Yes, I know there are extensions to OpenID. And no, we
>> can't use it to get a verified email address.
>> Michael
> There are people who for whatever reason don't use Facebook/Google/....
> And sending verification e-mail costs practically nothing.
> Regards
> PS. If we have on-site registration it would have unverified e-mail as
> well.

>From my original email:

* Username/password on the site. But who wants to deal with *another* password?
* OpenID. Fixes the extra password problem, but doesn't give us any
extra information about the user (email address, etc).
* Facebook/Twitter/Google: We get the users email address, but do we
*really* want to force users to have one of those accounts?

I disagree with the sentiment of "sending a verification e-mail costs
practically nothing". While *sending* it is cheap, we then need to
wait for users to respond to it. Compare this with a Google/Facebook
login scenario, where they click a button on our site, click approve
on Google/Facebook, and are completely approved.


More information about the Haskell-Cafe mailing list