>If "john_sm...@hotmail.com" is an active identity in 2021 and 2022, it is impossible to know if they are the same identity or two different identities
Have you checked OIDC/OAuth? As someone passes the challenge, the authority responds with a unique id which is never reused for different identities. So if you consider storing email as an identity, then you should rather keep the authority-generated ID and email, then you could distinguish if the email was reused for a different identity. See https://github.com/sigstore/fulcio/issues/955 for the case of "GitHub repository identity". In any case, it looks like Sigstore Fulcio is close to what you discussed. Vladimir -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4934): https://lists.spdx.org/g/Spdx-tech/message/4934 Mute This Topic: https://lists.spdx.org/mt/96211555/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-