TL;DR: Be conscious of who you trust. OpenID AX attributes may give you an email address, but this creates two potential issues:<p>* Can you be sure that the attribute has not been tampered with in transit? Check the signature (or make sure your library is checking the signature).<p>* Can you trust the OpenID provider to give you a correct and verified email address? Maybe if that provider is Google. Anyone else, probably not.<p>I prefer Mozilla Persona's approach to this problem; your identity effectively <i>is</i> an email address. It's also trivial to integrate.