I haven't read the spec at all, but completely off the top of my head, I'd have thought the point would be to use your email address as a unique identifier (as many sites do now), and provide a way to prove that the browser trying to log into my website belongs to the same person as the email address. You can 'self attest' and that's fine - the point would surely be that I cannot pretend to be you. Of course, you could make your mail server pretend that I'm you, so I could impersonate you with your permission, but that's true of most authentication - if you have a password, you can tell me what it is.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds