W3C home > Mailing lists > Public > public-credentials@w3.org > November 2021

RE: [EXTERNAL] Re: Using Email as an Identifier

From: Eric Kuhn <Eric.Kuhn@microsoft.com>
Date: Fri, 12 Nov 2021 21:18:20 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, Credentials Community Group <public-credentials@w3.org>
CC: "public-vc-edu@w3.org" <public-vc-edu@w3.org>
Message-ID: <SN6PR00MB041397EAC6A00B8F388E583DEA959@SN6PR00MB0413.namprd00.prod.outlook.com>
Verifiable Credentials are externalizing and giving the credential usefulness outside of the boundary of the entity issuing it. If the user does not yet have a Wallet to use, the issuer will still have a record of whatever the accomplishment is until the user does have a Wallet. 

We would advise our issuance customers to give their users a VC at time of credential attainment (i.e. completing a course) but have a way to come back at a later point in time to get issued the Verifiable Credential.  

Eric 

-----Original Message-----
From: Manu Sporny <msporny@digitalbazaar.com> 
Sent: Friday, November 12, 2021 1:59 PM
To: Credentials Community Group <public-credentials@w3.org>
Cc: public-vc-edu@w3.org
Subject: [EXTERNAL] Re: Using Email as an Identifier

On 11/12/21 11:05 AM, Kerri Lemoie wrote:
> There's been an ongoing discussion in the Open Badges community about 
> using email addresses as an identifier when a wallet is not being used.

The issue comes down to "How do you authenticate someone that presents an Open Badge with an email address as a subject identifier?"

There are email ceremonies that can handle this today (just email the person with an authentication code).

I mean, the way the problem is proposed really only drives one way of solving the problem.

"You have an email address and nothing else as a subject identifier." -- well, then you only have one solution available to you -- an email address.

However, if you shift the problem into "How do I authenticate the person showing the Open Badge"... you could use telephone number, email address, Linked In page, Twitter handle, and a variety of other mechanisms that would enable you to authenticate control over that identifier. That is, for example, send the person a message with a 6-digit code and have them respond by typing in that code on a web page.

Remember that you also don't have to provide a credentialSubject.id value in a VC. You can provide multiple alternate identifiers (telephone number, email address, web page), and it's up to the verifier to do the authentication dance there.

It is far less secure and automatic than a DID-based login, though. Remember that you can always re-issue already issued VCs.

-- manu

--
Manu Sporny - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F&amp;data=04%7C01%7Ceric.kuhn%40microsoft.com%7Cb6f486650c934c47095708d9a60ea532%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723404310288595%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3bK3Tfa7UmusAElPoj0A7OZX9wbWFt%2FMohSr8RwuSY0%3D&amp;reserved=0
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.digitalbazaar.com%2F&amp;data=04%7C01%7Ceric.kuhn%40microsoft.com%7Cb6f486650c934c47095708d9a60ea532%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637723404310338595%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=UsZB6SM9euR837Q1vr%2BlrT1sTdG%2Fw%2BlI4MBGaGTDG%2B8%3D&amp;reserved=0
Received on Monday, 15 November 2021 15:11:42 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:24 UTC