Re: Using Email as an Identifier

On Sat, 2021-11-13 at 14:23 +0000, David Chadwick wrote:
[EXTERNAL EMAIL] Be cautious when clicking links or opening attachments.
On 12/11/2021 19:23, Ward, David wrote:
Email addresses are often used as identifiers in the real world, so being able to use them as identifiers in VCs would make interoperating with existing systems easier.

Both mailto: and did:tag: URIs are useful depending upon the requirements.  If a DID document is required then something like the did:tag: method could be used, where if just an identifier that can fairly easily be tied back to an individual is required then mailto: is good enough.

On Fri, 2021-11-12 at 17:38 +0000, David Chadwick wrote:
In either case, the verifier still needs to prove that the holder is the subject and controls the email address before accepting the VP. So a standard procedure for doing this will be of benefit to the community in my opinion.

No, there are many use cases where the holder is not the subject.
Agreed. And these are the hardest ones to validate.

It depends on what needs to be validated.  We can still verify that the credential is valid and about a subject identifier.  Something that shows which particular individual is represented by the subject identifier is still needed, even in the case when the holder is the subject.  This may be from the signature on the VP, but for mailto: identifiers (and others that do not have a trusted tie between the signer and an identifier) there would need to be something else even if the holder is the subject.

The verifier may only need to prove that the issuer issued the VC to the subject and that it trusts the issuer before accepting the VP.
 Systems need to be able to resolve the subject identifier as identifying a known (or new and unknown) individual to the satisfaction of the systems' requirements.  An email address as identifier can work quite well for that.
For already known subjects, then yes. But not for unknown ones.  An email address is an identifier but not an identity. If the verifier only knows that the subject isa@bc.com<mailto:a@bc.com> and has a university degree, then what are they to make of that? Who is this subject? Is it the holder or someone else? By proving possession the holder is verifying that they are the subject and they have the degree. Otherwise I cannot think of a use case for a verifier in which an unknown subject has an unknown email address and the holder is not the subject. Can you?

In the PK-12 space, yes, for example there are many use cases where the holder is a parent of the subject as the students are not allowed to share anything outside the school.

By "proving posession" I am assuming we are talking about proving posession of the email address, which would then help allow determining the identity of the degree's subject which just proving posession of the degree VC in this case would not do (still would have the problem of knowing who a@b.com<mailto:a@b.com> is).

One use case could be as follows:

- I am moving with my family across the country.
- My childrens' current school does competency based grading and awards VCs (OBs, CLRs, etc.) to a student's district email adress.
- The VCs are transferrred to me before we move (instead of something paper based as is currently done).
- After moving, I transfer the VCs to my wife so that she can present VPs with them to the new schools when registering our children.
- Among the VCs from the prior school there would be ones that have a claim showing the name and birthdate of a student with the email address identifier.
- Note that the email address no longer works (and even when it did, it was restricted to only exchange emails with other email addresses in the district domain).
- The schools accept the VCs and add claims of their own with the kids new identifier showing name and birthdate.
- The new schools now have a record of the prior work and competency levels for my children.


David
--