[tantalic]

I am a bit surprised the proposal doesn't suggest using a hash (such as SHA-2) rather than directly passing the email address.

[edent]

That's a reasonable point. I was just modelling on how WebFinger works. A sufficiently secure hash might be sensible.

[ArchOversight]

You'd have to also specify a normalization procedure to make sure that email addresses are provided in the same format each time.

[8organicbits]

For anyone who thinks that may be a hand wave, there isn't a standard way to normalize email addresses. If you're building to the spec, then the local part can be processed case-sensitively, so Django lowercases the part after @ only. Others strip out stuff like gmail's +tags and really get into the weeds of how different email providers process emails.

https://pypi.org/project/email-normalize/

https://stackoverflow.com/questions/9807909/are-email-addres...

[autumn-antlers]

In my mind, the "Right Thing to Do" would be to follow the precident established by OpenPGP's `.well-known` email-hashing in Web Key Directory (not the prefix of course, and barring technical arguments justifying deviation, which may be considered on merit).

> https://example.org/.well-known/openpgpkey/hu/XXXX

> SHA-1 hashed and z-Base-32 encoded [to distinguish it from a fingerprint]

> The local part is always lower-cased before the encoding. [...] A common example for case-insensitivity are visiting cards which capitalize the canonical lowercase mail address for easier reading.

https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept

[dymk]

They're aware of it, at least. They mention this is how Gravatar works.