Directed e-mail address concerns in case of making it mandatory

[achimschloss]

Moving this into a separate issue from #12

The directed e-mail claim feature requires clarification (the privacy goal is clear) (https://github.com/WICG/WebID/blob/master/design.md#directed-basic-profile)

• given RPs use e-mail addresses to communicate out-of-band with users, who is responsible for generating the addresses and proxying these messages?
• It seems hardly achievable to build a proper setup for this without the IdP supporting this type of directed e-mail natively including the e-mail proxy/forwarding features (as @davidben mentions, user won't be interested / or recognise these directed e-mails)
• making this a mandatory requirement is a really high bar in terms of effort for IDPs, more so because they might not all be e-mail service providers themselves.
• Even if the IdP would be willing to support it, it would be hard to achieve if the IdP is not also in direct control of the top-level e-mail domain (security consideration, address conflicts, ....). They could off course use a dedicated proxy domain only for that purpose, but that seems way beyond the idea of just changing a JS-side integration for IDP and not breaking compatibility
• There seems to be a lot to consider to make this happen, given the e-mail is used for a lot of scenarios specifically also account recovery etc.

[samuelgoto]

Yep, agreed that this is a massive problem. However, I think that the biggest challenges aren't on the IDP side (these are fairly well funded companies, at least in the consumer space. in enterprise and EDU, I think that's a whole different story.)

There seems to be a lot to consider to make this happen, given the e-mail is used for a lot of scenarios specifically also account recovery etc.

These are the biggest challenges I think: relying parties use cases where real email addresses are needed. Account recovery and customer support occurs often.

Anything else comes to mind where RPs will face a challenge if given a directed email address?

[kenrb]

Speaking to most of those issues, yes this does put an onus on IDPs to make significant changes to how they work, including possibly requiring that non-email-providing IDPs set up forwarding services.

The main way these concerns have shaped our approach is to ensure that IDPs are engaged as stakeholders early on, and also they set expectations for a longer timeline before this is might be commonly in use.

[achimschloss]

Anything else comes to mind where RPs will face a challenge if given a directed email address?

Needs some thought - Two things that come to mind immediately:

1. RPs very often use the email as the primary identifier for the user account within their CRM backend (and not the directed sub value of the ID token as one would hope for). Given that users interact with RPs on a variety of platforms (other browsers that may not support WebID, Mobile, anything that supports a classical OIDC/Oauth flow which is basically any device or just simple plain registrations without any IDP involved) that can lead to undesirable results. Duplicate registrations on the directed and non-directed address, with both e-mail communications ending up in the very same Inbox.
2. Additionally - A user would hardly be able to login into the RP by any other means then the IDP. Users are 100% accustomed to use their e-mail to specify the account at the RP, in case that is a directed e-mail that only the IDP can resolve, logging into the account without the IDP based authorisation will be challenging (its an aspect of the recovery question)

The above would entail changes at RPs most probably / and or user education. Not sure how IDPs that implemented proxy features deal with that.

[timcappalli]

Physical world interactions also greatly suffer here.

Retail loyalty programs are a great example. In most cases, you walk into a store and they ask for a phone or email to look up your loyalty number. If phone number isn't capture and email is a directed email, the user experience greatly suffers overall.

[bc-pi]

In addition to the many challenges faced by RPs mentioned here and elsewhere (like https://twitter.com/__b_c/status/1362471694082826246) I don't think the challenges to the IDP side can be written off so easily. Support for directed email addresses is a huge requirement that will further push towards centralization of a very small number of large IdPs.

[samuelgoto]

This is an old thread, and we never got to directed email addresses (e.g. in terms of making them mandatory), aren't actively working on anything remotely close to it, so I'm going to close this as obsolete. Feel free to re-open if you feel like there is something actionable here.