Comment by shakna

20 hours ago

Last time my government tried that, they failed. [0]

You need to 100% trust those verification services. And considering their success rate [1], you shouldn't.

[0] https://thinkingcybersecurity.com/DigitalID/

[1] https://discord.com/press-releases/update-on-security-incide...

9 comments

shakna

Reply
Nursie  19 hours ago

> You need to 100% trust those verification services.

First link - mitigation: use a well supported standard like OIDC, not a home-cooked scheme. Duh.

Second link - this is part of the problem such schemes as verifiable credentials are designed to address, random third parties collecting ID they don't need.

Yes, any system needs to be executed well. Neither of these really display that.

  • shakna  19 hours ago

    If _the government_ can't be trusted not to use a dumbass scheme, then no, it isn't a duh moment. You don't exactly get to dictate how the government implements it!

    The point is that systems today, aren't really well executed. So it is unreasonable to expect them to be well executed.

    If you can't trust people not to build the bomb well - then don't let them build a bomb.

    • Nursie  19 hours ago

      > You don't exactly get to dictate how the government implements it!

      Who was talking about the government implementing it? I wasn't.

      And also "This has been done poorly in the past so we should never attempt to do it again, better" seems an odd way to go about things. There are well put together schemes by international standards bodies in this area now. Neither of the above links followed them.

      6 replies →