Comment by ongy
13 days ago
You could do some scheme that hashes a site specific identifier with an identifier on the smart element of the id.
If that ever repeats, the same I'd was used twice. At the same time, the site ID would act as salt to prevent simple matching between services.
People do, in fact, have multiple profiles. For very valid reasons.
the solution to this seems to be to issue multiple "IDs". So essentially the government mints you a batch of like 30 "IDs" and you can use each of those once per service to verify an account (30 verified accounts per service). That allows for the use case of needing to verify multiple accounts without allowing you to verify unlimited accounts (and therefor run into the large scale misuse issue I pointed out).
If you need to verify even more accounts the government can have some annoying process for you to request another batch of IDs.
This is a solved problem in the authentication space. Short lived tokens backed by short lived keys.
A token is generated that has a timestamp and is signed by a private key with payload.
The public key is available through a public api. You throw out any token older than 30 seconds.
Unlimited IDs.
That's basically what you want.
1 reply →