On 21/05/13 04:15, Marcio Galli wrote:
> * What other alternatives could we create in the future (only e-mail? )
The reason why we send an email out is that through the fallback
identity provider, we are signing a certificate on behalf of the email
provider which essentially says "we know that this user controls this
email address". So we do need to verify that the user can receive emails
at that address before we make that claim.
Going forward, we hope that most users will be able to use an email
provider with native Persona support (or identity bridging) to avoid the
email loop.
> * Could an user start the Persona (first time) from an e-mail
> initiated from the user?
In order for this to work, we would need the user to send us an email
that's cryptographically signed with a key that we trust. Maybe that's
something that DKIM can help with, but I'm not sure how much we can rely
on it for this purpose.
Francois