"Bad" use of Subject Identifiers

[yaronf]

Yaron: "Subject identifiers requested by the RC serve only to identify the RO in the context of the AS and can't be used as communication channels by the RC" - this sounds a bit naive, people will do that anyway. So why is this a useful statement? (And similarly in 3.4)

Justin: This inclusion is based roughly off of a similar constraint in OIDC around subject identifiers: https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

I agree that people will do dumb things anyway, but that’s why we need to spell out why it’s dumb here.

Yaron: I haven't looked at the OpenID text, but at least here, we do not explain why using the email address to send email is a bad idea, we just say that it is. I think we should give a rationale.

[fimbault]

There are many reasons why we don't want emails ("should not use email").

1. No assurance it's unique (ex: admin@example.com)
2. No idea on email policy (could be transfered to someone else)
3. Ties to a delivery method (which shouldn't be our goal here)

Also not using email facilitates the distinction with what OIDC/authentication mechanisms provide (more an internal argument for the specification text itself).

Might also want to push forward privacy enhancing mechanisms.