Re: [w3ctag/design-reviews] Incubation: Email Verification Protocol (Issue #1169)

martinthomson left a comment (w3ctag/design-reviews#1169)

> Assuming we move forward with the 3 party model (see below) the non-browser part of this could be a fit for the IETF SPICE WG. WDYT?

That's not the DISPATCH answer I'd give.  The novel parts of this belong in ART, probably in a focused WG.  SPICE might be able to help with the definition of attributes for the various formats if those are necessary, but if you have a working group, I'd be inclined to use SPICE for consultation only and do all the work in the one place.

> We thought the privacy improvements were worth it. What do you think?

A lot of the design rides on this assumption.  As I said, I am unconvinced.  Or rather, I am almost firm in a conviction that it's the wrong choice in this case.

There are two reasons to share email with someone: to allow them to communicate with you and to allow them to identify you.  The latter I have no care for[^track], but the former always involves the mail provider.  So I'm very much of the view that privacy with respect to an email provider is a non-goal. 

[^track]: Without a clear need for communication, asking for email is tracking and I have no respect for people doing that.  I tend to recommend disposable email addresses in that case.  To be clear, there are problems with disposable email addresses and we're working on solutions for that (see recent Anti-Fraud CG discussions), but I think they should be the default.  In other words, privacy with respect to the RP is the main concern I have.

Having to build key binding is something to avoid.  Not just because it is much more complex.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1169#issuecomment-3644233981
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1169/3644233981@github.com>