Comment by myrion
2 days ago
That's not how that works - they can prove they check by showing logs, rather than VPs. There's even legal limits on what identifiers they can store and for how long. But even ignoring that, they'd be storing only very limited disclosures.
The base registry stores identifiers of issuers and verifiers, not credential holders.
Even the status register does not contain the tokens themselves:
> Within these status lists, each index (i.e., status entry) documents the validity of one VC. The corresponding index is captured in the VC’s metadata to allow for a decentralized status information retrieval that does not require verifiers or the VC holder to contact the issuer.
Of course, each issuer needs to maintain a list of the credentials they have issued in order to be able to ever revoke them. That's unavoidable.
> But even ignoring that, they'd be storing only very limited disclosures.
Just to be clear, here I am not concerned about the verifiers, I am concerned about the authority (Government).
> The base registry stores identifiers of issuers and verifiers, not credential holders.
If the verifiers provide the verification tokens to the Government, can't the Government identify the original issuer even if they don't store them? Don't these tokens contain the DID of the issuer? Please correct me if I'm wrong, maybe I didn't get this part right.
> That's not how that works - they can prove they check by showing logs, rather than VPs
Logs can be manipulated, VPs can't. If I had a company and I was forced to verify users, I'd try to store those VPs for as long as possible, for my own protection.
> There's even legal limits on what identifiers they can store and for how long
I was not aware of this. Is that documented anywhere?