← Back to context

Comment by belltaco

3 years ago

For representing and verifying identity, it should need director level approval.

That's an overly technical way of looking at things. This issue is a whoopsie, not a catastrophic failure at AWS. It doesn't actually represent identity that much because anything critical has humans in the loop. The bank won't accept this as proof of identity. NYT won't accept this as proof of identity: if this bluesky account confessed AWS murders puppies NYT would call somebody they know at Amazon to check.

A company blog is a much bigger vulnerability when it comes to representing and verifying identity. Rather than let somebody fake identify to a computer system it allows faking identity to humans reading it. Yet I don't think most places require director signoff to post.