Comment by shakna
13 hours ago
You should probably stop pretending you know what myID is, and what it does.
Its a sovereign identity verification service. That is not limited to above PL2 verifications. There are age-only accredited entities in the registry.
Its one of the approved verification tools for the Online Safety Act 2021 . It was renamed as part of the passage of the law. You're just not forced to use it, for verification.
And yes, it does it poorly, and does not follow a standard. Its using Vanguard's PAS behind the scenes [1], with extras ServiceNow tacked on. Until they rearchitect the entire damn thing.
So... As I might have doxxed myself a little just now... No, uploading identity documents is never a safe process. Its a king's hoard in treasure before nations that never sleep.
Name a provider, and there will be a breach, and it will continue to affect the victims most of their lives.
[1] https://www.sec.gov/enforcement-litigation/administrative-pr...
> No, uploading identity documents is never a safe process.
You should probably stop pretending you understand verifiable credentials then.
Because if you did, you'd understand that they don't need to involve uploading identity documents anywhere.
The idea is to defer to service providers such as banks that have already performed such verification, often physically. And if you want to argue that banks should stop verifying who people are when they open accounts... well that's going to be an interesting conversation.
Without doxxing myself too much, I'm going to say that I know intimately the details of a project within Australia to build a standards-based non-government VC system that won't touch a single piece of ID at any stage, as an additional capability on a commercial identity system that's already active and in use.
KYC rules require the banks collect those, and keep them on an online portal. This information is held by the ABA - hence why they were falsely accused because of the infostealer breach last year.
I have absolutely not said banks should stop collecting ID. Collecting it in person is a fantastic idea. Holding it on an isolated network is difficult, but a good compromise, and banks are better suited to doing that than most.
Uploading it to a S3 bucket in Sydney, as the ABA do, is a moronic decision. That myID upload it to a Azure Blob in Sydney, is worse than I feel the need to explain.
If you think you can succeed, where literally no one else in the world has, good luck to you. But I expect the same result as Forticode.