Open jernst opened 2 years ago
I think this is a really interesting idea, and it opens up some conversations around other DRR delivery mechanisms… It also opens a channel for modeling direct delivery of certain types of access requests (ofc a 700mb zip file won’t go in to your email but would a 1mb json file? reasonably.)
There are some details that need to be lined up here, but I think I will leave this issue open for future consideration as we move along implementation.
If the User Agent could submit, on behalf of the User, requests via e-mail from the e-mail address that the CB has on file, a lot of User authentication issues become a lot simpler:
The CB already accepts password resets through that e-mail address, and so arguably a user sending such a request by e-mail is as well authenticated as if the User had logged into their website.
This would depend on the e-mail being sufficiently authenticated (DKIM, SPF etc) so it cannot be spoofed by an attacker.
It could be as simple as allowing
mailto:
in addition tohttps:
protocols in the well-known file.