← Back to context

Comment by nly

12 hours ago

But to be effective you need to prove that the person presenting the ID is the person the ID belongs to.

In person that falls to a human being, and it's an easy and intuitive task that takes seconds.

On the internet this involves some kind of video recording being sent to some agency somewhere being paid a fee, who may later be asked to prove the efficacy of their service. This agency needs a digital copy of the photo from your ID for matching purposes. They'll be tempted to store this for auditing purposes... they'll also be tempted to store correlation IDs etc if the architecture allows.

The issue is trust. You just can't trust these first and third parties not to collaborate for commercial gain or at government demand or request.

And ultimately you're still exchanging verification at registration for a shareable credentials: I could use my ID to sign up to pornhub premium and then sell the username and password to a 16 year old if I wished, just like those buying alcohol can go and give it to the underage. A black market for digital credentials is even easier to establish than material goods

6 comments

nly

Reply
stymaar  12 hours ago

> On the internet this involves some kind of video recording being sent to some agency somewhere being paid a fee, who may later be asked to prove the efficacy of their service. This agency needs a digital copy of the photo from your ID for matching purposes.

That's why I'm talking about an “Id card” using Zero-knowledge proofs in a cryptographic chip, not using a paper ID with your picture on top…

  • nly  11 hours ago

    Doesn't matter!

    You still need to send a digital image from the id, signed by an authority, saying "this person is 18"

    You then still need a trusted ID service or algorithm to capture an image of the user _at the time of use_ to compare that to.

    Just having access to your digital ID credentials proves nothing

    The zero knowledge proof only helps prevent tracking between the ID service and the website you're logging into. This is valuable but requires standardisation and client side support, which doesn't exist.

    All the time the client side is implemented by JavaScript served from the server side you're just trusting these parties to behave and not snoop