[miki123211]

I think we need a worldwide, federated identity system.

There should be multiple identity providers, mostly governments and organizations who already have lots of info about you, for example banks. This already works in Poland and several other european countries. Such organizations should verify that you are you the way they currently do, and give you a way of authorizing yourself, i.e. sms, mobile app, one time passwords etc. If someone needed to verify your identity, they would go through your chosen org for authentication. This approach has several benefits.

1. You can provide as much or as little info as you want. The info you provide could include true/false assertions. For example, a porn website could just ask the org whether your age >= 18, without the need to know your exact birthdate,. Same for citizenship, disability, criminal record etc.

2. You can easily integrate that with other services, for example payments or even a secure communication channel, letting companies contact you without learning any details about you. There could even be a secure shipping service, where the company selling you the product only gets a special qr code to stick on the package,. Only one shipping company would get your real address, the rest would just know the next leg of the route.

3. You could provide instant "not a robot" verification, without any captchas, without any personal data and without any hassle. The authorizing org would just give the requestor a token, different for each visit, that they could send with a "add to blacklist request". The next time a blacklisted user would try to log in to that service, their org would refuse to provide the token.

4. Ability to provide legal accountability without rewealing anything. The authenticating org would just provide a token to a service. The user could do whatever they wished, but, in case they'd do something illegal, the police could just force the org to actaully reveal who was behind that token.

Of course, the system would have to be regulated by a global body of governments or organizations. Each org would have certain resoponsibilities, i.e. allowing you to port your id to somewhere else, not requesting more data than necessary, honoring blacklists etc. If that system existed, implementing a safe, seamless online and real0-life experience would be trivial. Just imagine if it would be trivial to trace each website, each comment, everything to a real person with a court order, while not giving most companies any data whatsoever.

[g2graman]

If we had a worldwide, federated identity system, there's a problem with this I can already see: what's stopping nation's like China from expanding their social credit system to the population of the world then, against their will for example? For what purpose, I can't know, but it doesn't seem ideal.

On one hand, it would be incredibly useful to only ever have to deal with one service or standard for identities (and that could include the possibility of making things easier for identity theft products to do their job) but it brings with it these other risks around centralizing that kind of information.

[Nextgrid]

What prevents them from doing so now? They can already scrape public internet activity and create social credit profiles based on that.

Here I am posting a picture of Winnie The Pooh which I know Xi Jinping absolutely loves: https://ohmy.disney.com/wp-content/uploads/2016/01/Pooh.jpg and my "social credit" is presumably now at zero.

Thankfully I am not in China, never will be, so even if the Chinese social credit system hates me I can still take a train, get on a plane, etc.

[scarmig]

China already has identities for most people in developed countries. Everyone reading this is already in their systems.

[hakfoo]

Trying to control data by by format restrictions seems a little iffy.

If you offered a "isOver18" call to avoid exposing an actual age or date of birth record, you'd have to offer a whole range of others for a lot of legitimate needs (isOver21 for alcohol sales, isOver59.5 for some retirement account stuff, isOver55/60/65 for senior discounts, etc).

You could chain a bunch of those to at least pull a marketing-sufficient age category, and potentially a full age or DOB depending the number of such functions offered.'

If the identity providers asked users each time for consent a verification request cane in, that could limit that abuse pattern, but I suspect it would be the sort of thing where users got notification fatigue very fast and just start clicking "don't ask me again".

[judge2020]

> There should be multiple identity providers

I think we already have that: Google ;)

The only difference is that Google doesn't provide identity verification, only identity validation when you have previous knowledge of a Google account being associated to a user account.

[scarmig]

I would love it if emails were typically gathered by OIDC scope requests, and the provider would always provide an email address that could be traced to the audience. Something like mail@{ENC(sub + aud)}.oidcp.com.