Allowing email replies to annotations when no account exists

[dwhly]

If we're emailing a mailing list for every annotation made, and for any responses creating annotations as replies (see #1004), then we'll have situations when replies are generated for folks for whom we have no user account.

It seems like we should probably use the email address in these situations as the user name-- and displayed as such when viewing the annotation.

Should we obfuscate these usernames? i.e. "dwhaley@....."
Only when not logged in?

If the person later creates an account with this username, should we then show these previous annotations as being from that user, or continue to refer to them as being from the email address? (Policy question and technical difficulty both here probably).

Interested in perspectives from @tilgovi and @shepazu and others.

[tilgovi]

@dwhly, in your summary it sounds like you're assuming that users without a username/account can comment, but that's not the case today.

[dwhly]

1. Someone annotates a W3C spec
2. We copy the annotation to their mailing list
3. Someone replies to the mailing list entry, and does NOT have an annotation account already.
4. Do we show the reply, and attributed to who?

[shepazu]

@dwhly, good question, and good answers.

My opinion:

1. yes, use the email address

2. yes, obfuscate the email address (though if someone looks on the W3C email archive, email addresses are not obfuscated… but we're dealing with a new interface, and people might prefer that consideration and be unpleasantly surprised by having their emails displayed in annotations)

2a) I don't think we should deobfuscate email addresses even if the reader is logged in; it's more complex behavior, and doesn't solve any real problem

3. ideally, we should reconcile annotations made by an author who creates an associated account with that email afterwards, but if it's technically difficult, then we could put that feature off to a later phase; no matter when it's implemented, it will work retroactively, so the only questions then are A) is it too technically hard to do at all? and B) will it look klugey in the interim?

A related question: what if someone replies from a W3C mailing list with one email address, but registers with a different email address? Could they associate multiple (verified) email addresses with the same username?

[dwhly]

Agree with these points. Re: 3 above, had same thought. Might be something we do later. @tilgovi will have the best perspective.

And yes, associating multiple email addresses with the same account will become a priority at some point, for exactly these kinds of reasons.

[csillag]

And yes, associating multiple email addresses with the same account
will become a priority at some point, for exactly these kinds of reasons.

Like with time-stampts, GitHub has a nice workflow for this. We just need to copy that.

[tilgovi]

I think the most sensible thing would be to consider the annotations as made by a the server. This issue then reduces to the issue of separating the annotation from its body. What we show then as the author of the body is definitely the e-mail address, and we may wish to obfuscate it slightly depending on the requirements of the deployment. But I'm going to close this issue here because it's something I would prefer to see solved by a separate project.

The plan of attack is:

• Implement OAuth for our API
• Implement lightweight, HTTP notifications (such as webmention)
• New repository, new service, consumer of our API, which is our annotation <-> email list gateway daemon

[tilgovi]

Moving to hypothesis/vision#44