> the site that you're authenticating with doesn't get any further details beyond your e-mail address
But Mozilla's servers (or the email provider, but I don't expect to see any significant uptake of this feature) get information in the HTTP requests, whether they like it or not, and they're based in the US.
However, we've designed the protocol so that all of these pieces (necessary to bootstrap the system) will go away over time.
#1 will go away once we have native support in the browser (some of our developers have starting working on this). #2 will go away once we make include.js self-hostable, which we are definitely planning to do. #3 will no longer be needed once sites can use local verification libraries, which we have started writing. #4 can already be avoided if you put up your own identity provider (several people have done so).
But Mozilla's servers (or the email provider, but I don't expect to see any significant uptake of this feature) get information in the HTTP requests, whether they like it or not, and they're based in the US.