[uniqueid]

In my ideal world, we have a framework for brick-and-mortar businesses to act as internet notary service providers.

If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity. You tell the notary how much information they can share (in particular, whether they can release your name to the internet, or just the "we verified this account is held by a real person" boolean).

The protocol would cover much more than passport info though. You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.

That might cut through some flavors of online nonsense. It would also allow people to stay pseudonymous, and yet enable law enforcement to subpoena their identity, if they go on a killing spree, or hack a few million dollars worth of bitcoin.

[weinzierl]

CAcert has a system in place that is close to what you described[1]. Basically already verified users check the identity documents of new users and vouch for their authenticity. Their "Assurer Handbook"[2] is an interesting read. When I became an assurer a few years ago the person that trained me also took their task very seriously and I learned a ton about how to check identity documents for forgeries. That alone made it worth it.

Since we have Let's Encrypt I'm not entirely sure what CAcert's place and purpose is, but I think with an existing network of trusted people they are in an ideal position to pivot into a decentralized online identity system.

Mark Shuttleworth's Web of Trust similarly had so called Thawte Notaries but I think it was discontinued a few years ago.

[1] http://wiki.cacert.org/FAQ/AssuringPeople

[2] http://wiki.cacert.org/AssuranceHandbook2

[horizin]

It's possible to enable this setup using verifiable credentials - an emerging W3C standard for creating and sharing "attestations" about a person.

https://www.w3.org/TR/vc-data-model/

[uniqueid]

Holy mackerel! Thank you :) I've been thinking about this issue for weeks. This standard looks very relevant!

[orf]

> You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.

Humans, generally, are very bad at caching document fraud. It wouldn't be a vouch for a licensed driver but instead it would be a vouch for "a bit of plastic that looked like a driving license to me".

There is lots of sophisticated fraud and often automated solutions have a much higher rate of detection than your average person, even with some training against common attacks.

[supertrope]

Certificate authorities with brick and mortar locations would be an improvement over the current USA situation of SSN+DOB as master password to all IRL accounts. Checking a drivers license IRL is better than looking at an uploaded scan or photo. They could use those box scanners casinos use.

The main issue is minimizing cost. Dot com companies and banks don't want to pay for this so they peg online identities and account security to SMS effectively pushing off the problem to cellular companies. Cellular companies lack the competence to handle IAM. Opening a branch in every city is very expensive and companies don't want to even pay ~$10 for an offshore script reader to check a SMS code and verify "public information" off a credit report.

Credit card companies that are already liable for fraud usually settle for SSN+DOB, ID scans and aforementioned Equifax data verification because fraud losses are cheaper than in person due diligence.

[uniqueid]

Absolutely! It would be far from perfect, and, but for the worst-case scenario that the internet currently embodies, not worth pursuing. But there's so much room for improvement today. Just placing a barrier against sock puppet accounts would already be a huge win.

[packet_nerd]

Maybe have the DMV be the notary for driver's licenses?

[risyachka]

In my ideal world I never have to deal with notaries and there are no physical documents at all.

[aaron-santos]

Who notarizes the notaries?

[supertrope]

The people who consume the notarized documents. If too much crap comes through they can reject the issuer. Kind of like how Symantec CA got dropped by browser makers.

Public notaries are licensed by US state governments. There is generally a background check, brief training course, and application fee. In at least some states they have strict liability for theft of their stamp.

[aaron-santos]

What does it mean to reject the issuer when there are around 4.4 million notaries in the US? What systems are in place now or would need to be created in order to aggregate trust and what are the pros and cons associated with those systems?

[supertrope]

For individual notaries file a complaint about incompetence or report them for fraud. Signatures, seals, and watermarks aren't as good as public crypto but that's okay because phone calls, clearinghouses, and the legal system backstops them (especially for reversible transactions).

Rejecting issuers would be more applicable to repeated transactions from a corporate certificate authority.

[blotter_paper]

Reputation?

[nsl73]

Why would I ever trust a notary?

As a person being notarized it sounds like I have to give that business more personal information about myself than I usually have to do to get an online identity, as suggested by your subpoena statement.

As a service trying to verify accounts I now have to trust a third party. Maybe the notary has a business that sells fake IDs in the back that are then used in the notarizing process. Maybe my competition set up a burner notary node in order to flood my service with malicious accounts. It sounds like an attack vector.

[uniqueid]

You've never provided any business with ID? How do you get into nightclubs?

The internet is important. When something is important enough, it is worth the risk. That's why people share secrets with their bank, lawyer, doctor, psychologist, etc.

We are squandering most of the potential of social media, because its design limits worthwhile conversation to hypotheticals. Since there's no reason to trust the honesty or motivations of anyone online, discussing actual data or life-experience is pointless.

[elric]

> How do you get into nightclubs?

Clubs don't care about identity. In some parts of the world they care about age and outward signs of affluence and/or attractiveness.

[uniqueid]

I was thinking of North America, where "carding" is still standard practice.

[supertrope]

>Age

[perryizgr8]

> If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity.

This is never going to happen. I will never visit a physical location in order to create an online account. I strongly suspect I'm not alone in this regard.

[yunruse]

It would create a small financial (and convenience) pressure to use one identity. Careful design would be needed to ensure that multiple identities are encouraged and accepted.

[supertrope]

There is enormous pressure to converge on one identity. IAM has huge network effects. On-boarding customers is an expense so businesses and governments rely heavily on existing rails like email, SSN+DOB, Facebook, SMS, etc. If you don't want to surrender SSN or your whole Facebook profile your only option is to reject the service entirely.

[mirimir]

Facebook accounts are available for $1-$10, payable in cryptocurrencies.

[Schiendelman]

More like $25-50. But even then, it likely doesn’t have the attributes attached to it that you want if you have a particular target.

[rendaw]

It could also make things like online voting (like, for winners in a contest or features in software) possible which would otherwise be impossible due to multiple accounts.