Re: Using Email as an Identifier from Dave Crocker on 2021-11-16 (public-credentials@w3.org from November 2021)

From: Dave Crocker <dhc@dcrocker.net>
Date: Mon, 15 Nov 2021 17:27:55 -0800
To: Kerri Lemoie <klemoie@concentricsky.com>, Credentials Community Group <public-credentials@w3.org>
Cc: public-vc-edu@w3.org
Message-ID: <d9b9de96-4dcb-7576-9cef-015131de9b6e@dcrocker.net>

On 11/12/2021 8:05 AM, Kerri Lemoie wrote:
> There’s been an ongoing discussion in the Open Badges community about 
> using email addresses as an identifier when a wallet is not being used. 
> This is a dilemma particularly in the Open Badges community because it 
> has been using email addresses as recipient identifiers. Over the years 
> using emails as identifiers has been problematic in numerous ways 
> especially considering that the recipients don’t have control over their 
> email addresses and in the past has led to lost badges.

A topic like this, needs to be very cautious about distinguishing theory 
from practice.  Theory is always more appealing, because it does not yet 
show the scars from suffering the realities of practice.

Identification at global scale is rather more difficult than under more 
limited circumstances.

Assignment of identifiers looks simple.  Until it is done at scale. 
Independence from a controlling organization might look simple.  Go try 
that at scale.  The same applies to queries using an identifier. 
Simple, until done at scale.

In practice, the choices involve tradeoffs, rather than between terrible 
vs. perfect.

Having a single, private organization own and administer all the 
identifiers is about as bad as this topic can get.  It's not a matter of 
whether the organization is enlightened or evil, but in the nature of 
designing a single point of administrative and operational failure.

If you think it's possible to do identifier assignment and lookup where 
no organization is involved, please provide an example that has 
demonstrated utility at scale, because I haven't heard of it.

Absent that, we are back to tradeoffs.

Domain names are an example of a single, public organization, having 
control over the top of the hierarchy, but in practical terms, both 
administration (assignment) and operation (query) are massively 
distributed.  In practical terms, for most of us, the concerning 
dependency is primarily on the domain registrar and registry, rather 
than on ICANN.

And for the left-hand side of the email address, the question is who is 
in charge of the domain name.

If you get your own domain name, the answer is: you!  And you can move 
to different platform provides as you wish.  The burden, then, is the 
hassle of knowing enough to exploit this choice.

If you go with an email service provider and use their domain name, then 
we're back to a single -- typically private -- organization controlling 
your fate.  However the improvement is that they don't have to be 
controlling mine.  Or the other guys'.

It's easy to criticize the use of email addresses as global identifiers. 
  What is difficult is finding a better alternative.  That works at scale.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Received on Tuesday, 16 November 2021 01:28:29 UTC