Comment by Nursie
21 hours ago
> The successor after the rebrand, is called myID [0], and advertised as:
It's an identity scheme and SSO solution for accessing government services. As said at [0] in the "What is myID" section.
I sincerely hope that they're using something standard and well tested like OIDC behind the scenes this time, because otherwise it's ripe for another fuckup like the one you linked. If it is also used for age verification that appears to be secondary.
> You cannot enforce these real groups, to actually follow good practices. Thus, in practice, everyone gets fucked when you bring in these laws. Because it will always be done the wrong way, by someone.
So we need to stop the Australian government from ever using an SSO/identity solution again because it can't be trusted to do it properly, having messed up in the past, and the rest of us have had to live with the consequences. And as they aren't the only ones to have messed up, companies do it all the time too, we should also ban all identity and SSO solutions (because that's what we're talking about in this thread, banning of age verification, not mandating it).
I don't think you get to call out age validation as a uniquely hard problem that cannot possibly be made safe, but allow other identity-style services a pass. There are many areas in which we (through the government) can and do mandate good practice, both by government and private entities.
You should probably stop pretending you know what myID is, and what it does.
Its a sovereign identity verification service. That is not limited to above PL2 verifications. There are age-only accredited entities in the registry.
Its one of the approved verification tools for the Online Safety Act 2021 . It was renamed as part of the passage of the law. You're just not forced to use it, for verification.
And yes, it does it poorly, and does not follow a standard. Its using Vanguard's PAS behind the scenes [1], with extras ServiceNow tacked on. Until they rearchitect the entire damn thing.
So... As I might have doxxed myself a little just now... No, uploading identity documents is never a safe process. Its a king's hoard in treasure before nations that never sleep.
Name a provider, and there will be a breach, and it will continue to affect the victims most of their lives.
[1] https://www.sec.gov/enforcement-litigation/administrative-pr...
> No, uploading identity documents is never a safe process.
You should probably stop pretending you understand verifiable credentials then.
Because if you did, you'd understand that they don't need to involve uploading identity documents anywhere.
The idea is to defer to service providers such as banks that have already performed such verification, often physically. And if you want to argue that banks should stop verifying who people are when they open accounts... well that's going to be an interesting conversation.
Without doxxing myself too much, I'm going to say that I know intimately the details of a project within Australia to build a standards-based non-government VC system that won't touch a single piece of ID at any stage, as an additional capability on a commercial identity system that's already active and in use.
KYC rules require the banks collect those, and keep them on an online portal. This information is held by the ABA - hence why they were falsely accused because of the infostealer breach last year.
I have absolutely not said banks should stop collecting ID. Collecting it in person is a fantastic idea. Holding it on an isolated network is difficult, but a good compromise, and banks are better suited to doing that than most.
Uploading it to a S3 bucket in Sydney, as the ABA do, is a moronic decision. That myID upload it to a Azure Blob in Sydney, is worse than I feel the need to explain.
If you think you can succeed, where literally no one else in the world has, good luck to you. But I expect the same result as Forticode.