I
don't mean to troll. I just don't understand why RPs don't just trust
the OP's word. Even if this is just a flag to show that
Yahoo/JanRain/Google did the verification, aren't they going to have to
ignore it when I send it from my OP of ill repute? If they're second
guessing the OP based on verified-timestamp and
i'm-the-postmaster-i-mean-it, that's at least something, though it'll
still need a whitelist of OP that probably don't cheat.
Am I nuts? Are RPs really saying they don't trust an email assertion
from a whitelisted OP without a verified flag? Or that they aren't
going to whitelist at all?
A better way to think about this is that an RP wants to know what
kind of certainty or validity there is to the data being provided by
the OP.
If the OP allows the user to specify an email address without
confirming it, the RP should know that — and then do their own
confirmation if that email address is being used, say, for sending a
receipt after a purchase, or for recovering an account if a user
forgets their OpenID (which happens more than you'd imagine).
Thus if we ignore the "trust issue(s)", we begin to see that the
"verified" attribute has more to do with setting expectations around
the quality of the data being provided by the OP to the RP, giving the
RP the ability to choose what business-logic-rules to apply to the data.
While it would be nice for RPs to implicitly trust OP's
assertions, and many will, I think it's worthwhile to provide a
mechanism for evaluating this data.
Chris
--