Hacker News new | ask | show | jobs
by SudoNick 4753 days ago
It would seem that developers receiving verified email addresses of users was deemed more important than privacy and supporting scenarios where email addresses aren't required to establish accounts :( IMO, a hard requirement should have been that email addresses are optional and Mozilla should go back to the drawing board for that reason alone. The "it technically doesn't have to be a working email address if the identity provider doesn't want it to be" argument isn't enough.

IMO, another hard requirement should have been that it involve no other parties than the user and the site where they are establishing an account and that approach should be easy for everyone. Major email providers are compromised and therefore email providers should be designed out of the process. Asking average users to setup and maintain their own identity provider is asking too much.
1 comments
shardling 4753 days ago
>The "it technically doesn't have to be a working email address if the identity provider doesn't want it to be" argument isn't enough.

Err, even though it does literally everything you want?

>Asking average users to setup and maintain their own identity provider is asking too much.

So you want a way to prove identity across multiple sites avoids needing any of a central provider, third party providers, and self-hosted providers? Good luck with that...

link
SudoNick 4753 days ago
To your first point, who is the identity provider? In practice, it will almost always be 1) a third party, and 2) an email provider that is unlikely to deviate from the "must be a functional email address" approach. So in order to benefit from that support and stay away from third party identity providers you must run your own identity provider.

To your second point, the problem is that self-hosting an identity provider requires a domain name, Internet accessible HTTPS server, and a server certificate that is trusted per Mozzila's cert bundle. For average users to benefit they'd have to setup their own server on their own premises or turn to a third-party for [identity] hosting service. For at least baseline requirement purposes, the device the user is using should be the only device they need to carryout their account creations and logins. I haven't thought it through, but maybe there could be an @localhost format where the browser itself acts as an identity provider.

link