Re: [w3ctag/design-reviews] Incubation: Email Verification Protocol (Issue #1169) from Sam Goto on 2026-06-16 (public-webapps-github@w3.org from June 2026)

From: Sam Goto <notifications@github.com>
Date: Tue, 16 Jun 2026 12:03:11 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1169/4722374310@github.com>

samuelgoto left a comment (w3ctag/design-reviews#1169)

> One late note, because this came up in a TAG discussion and it seemed like it might clarify the decision about 2- vs. 3-party model...

I think we need to write this down better, but I think there are more benefits between the 2 vs 3 party model other than privacy, and I think that has to do with interoperability.

Originally, OIDC was conceived as a bring-your-own provider, but struggled to figure out (often, UX being a challenge) how to make users provide their own. Fast forward to today, for consumers, websites hard-code which providers they support (e.g. typically Sign-in with Apple, Google, Twitter, Facebook and/or Github).

That created an ecosystem that, unintentionally, required a non-interoperable-ahead-of-time exchange between the website and the identity provider (acquiring what's called a `client_id`), which further ossified the non-interoperable position between identity providers.

The three party model makes it technically impossible that this ahead-of-time registration happens because the issuer doesn't get to learn where their credentials are going to be presented (a behavior that we inherit from the fact that email providers aren't allow-listed by websites).

Without the preregistration, websites accept tokens that are, by construction, independent from issuer (again, inherited by the norm of email verification being email provider agnostic).

By making the browser the holder, we also managed to [make the browser a verifier](https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webid/delegation/evt_verifier.h;l=62?q=evt_verifier.h&ss=chromium) before returning the token to websites, guaranteeing that what's being returned is interoperable and also, giving issuers a testbed of conformance.

We still think that the 3-party model has benefits over the 2-party model in this specific case.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1169#issuecomment-4722374310
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1169/4722374310@github.com>

Received on Tuesday, 16 June 2026 19:03:14 UTC