Readit Newshttps://github.com/WICG/email-verification-protocol/blob/mai...
could easily be done by malicious JS, an ad script, or the website itself, and then as the RP gets the output of 6.4) email and email_verified claims.
I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?
Like a secure <input Email> element that makes sure there is some user input required to select a saved one, and that the value only goes to the actual server the user wants, that cannot be replaced by malicious JS.
Less easily than you'd think.
You'd have to make an authenticated cross-origin request to the issuer, which would be equivalent to mounting a Cross-Site Request Forgery (CSRF) attack against the target email providers.
Even if you could send an authenticated request, the Same Origin Policy means your site won't be able to read the result unless the issuer explicitly returns appropriate CORS headers including `Access-Control-Allow-Origin: <* or your domain>` and `Access-Control-Allow-Credentials: true` in its response.
Browsers can exempt themselves from these constraints when making requests for their own purposes, but that's not an option available to web content.
> I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?
Correct; which is going to be the main challenge for this to gain traction. We called it the "three-way cold start" in Persona: sites, issuers, and browsers are all stuck waiting for the other two to reach critical mass before it makes sense for them to adopt the protocol.
Google could probably sidestep that problem by abusing their market dominance in both the browser and issuer space, but I don't see the incentive nor do I see it being feasible for anyone else.
This seems extremely marginal. The point of verifying an email address is to subsequently use it to send email.
This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.
And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.
For historic interest, the Persona After Action Report has a few key insights from when we spun down the project: https://wiki.mozilla.org/Identity/Persona_AAR
Apparently the common workaround for the Google Wallet stuff is to pair a GrapheneOS phone with a stock Android smartwatch.
Edit: Here's some additional information on banking apps: https://privsec.dev/posts/android/banking-applications-compa...
Apparently the common recommendation these days is to use Curve Pay as a virtual card provider on GrapheneOS, which can then route to arbitrary underlying cards. And evidently Google Wallet does work for things that aren't payment cards (airline tickets, transit passes, etc.) on GrapheneOS.
It's also really peaceful underground.
Amusingly enough, I can't handle blue-water or wall dives (vertigo), nor wrecks (those aren't supposed to be there!), but caves are no problem. You've got walls, floor, and ceiling as a frame of reference, and everything is nice and cozy. It's like the Earth is giving you a hug.
[0]: https://commons.m.wikimedia.org/wiki/File:Vortex_Spring_cave...
The Mecca for cave diving is in the Yucatán and surrounding areas and the caves there are exceptionally warm. The surface water can be chilly, coming in around 21c at one of the many cenotes (sinkholes, which are the entry points into the system) as rainwater fills them, but the further into the cave you penetrate you will eventually cross the halocline, at which point deeper = warmer ocean water. It’s quite unintuitive but delightful to warm up after a 2+ hour dive. It’s common for divers to go deeper, pull their wetsuit open a little to fill it with warmer water (24c+) and then rise up back to the planned depth.
Cold cave diving is a very different experience and is usually found in Florida and Europe. Don’t recommend.
I am envious of the speleothems in Yucatán cenotes. Florida's caves are all phreatic, so you don't get any real decoration beyond scalloping. Still fun to dive, just not much to see aside from water, wet rocks, and a line. And not even that if you blow the viz.
"Ofcom is the independent regulator for Online Safety. [...] Ofcom has strong enforcement powers"
https://www.gov.uk/government/collections/online-safety-act
Okay, so what does Ofcom say?
"It doesn’t matter where you or your business is based. The new rules will apply to you (or your business) if the service you provide has a significant number of users in the UK, or if the UK is a target market."
https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...
Now if someone made one with the ability to drag colored blocks of days around..
Source at https://github.com/cassidoo/pocketcal
