Re: Using Email as an Identifier

I would agree. Excellent thread with a wide array of quotable insights. Thanks for initiating, Kerri!

> Theory is always more appealing, because it does not yet show the scars from suffering the realities of practice.

________________________________
From: Kim Hamilton <kimdhamilton@gmail.com>
Sent: Monday, November 15, 2021 8:54 PM
To: dcrocker@bbiw.net; Eric Kuhn
Cc: Kerri Lemoie; Credentials Community Group; public-vc-edu@w3.org
Subject: Re: Using Email as an Identifier

This is a fantastically clear yet brief description of VCs. Great insights in your response, Eric.

> Verifiable Credentials are externalizing and giving the credential usefulness outside of the boundary of the entity issuing it.

On Mon, Nov 15, 2021 at 5:30 PM Dave Crocker <dhc@dcrocker.net<mailto:dhc@dcrocker.net>> wrote:
On 11/12/2021 8:05 AM, Kerri Lemoie wrote:
> There’s been an ongoing discussion in the Open Badges community about
> using email addresses as an identifier when a wallet is not being used.
> This is a dilemma particularly in the Open Badges community because it
> has been using email addresses as recipient identifiers. Over the years
> using emails as identifiers has been problematic in numerous ways
> especially considering that the recipients don’t have control over their
> email addresses and in the past has led to lost badges.


A topic like this, needs to be very cautious about distinguishing theory
from practice.  Theory is always more appealing, because it does not yet
show the scars from suffering the realities of practice.

Identification at global scale is rather more difficult than under more
limited circumstances.

Assignment of identifiers looks simple.  Until it is done at scale.
Independence from a controlling organization might look simple.  Go try
that at scale.  The same applies to queries using an identifier.
Simple, until done at scale.

In practice, the choices involve tradeoffs, rather than between terrible
vs. perfect.

Having a single, private organization own and administer all the
identifiers is about as bad as this topic can get.  It's not a matter of
whether the organization is enlightened or evil, but in the nature of
designing a single point of administrative and operational failure.

If you think it's possible to do identifier assignment and lookup where
no organization is involved, please provide an example that has
demonstrated utility at scale, because I haven't heard of it.

Absent that, we are back to tradeoffs.

Domain names are an example of a single, public organization, having
control over the top of the hierarchy, but in practical terms, both
administration (assignment) and operation (query) are massively
distributed.  In practical terms, for most of us, the concerning
dependency is primarily on the domain registrar and registry, rather
than on ICANN.

And for the left-hand side of the email address, the question is who is
in charge of the domain name.

If you get your own domain name, the answer is: you!  And you can move
to different platform provides as you wish.  The burden, then, is the
hassle of knowing enough to exploit this choice.

If you go with an email service provider and use their domain name, then
we're back to a single -- typically private -- organization controlling
your fate.  However the improvement is that they don't have to be
controlling mine.  Or the other guys'.

It's easy to criticize the use of email addresses as global identifiers.
  What is difficult is finding a better alternative.  That works at scale.

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net<http://bbiw.net>