[blobster]

We already do identity verification in the real world, it's called government issued IDs.

There should be opt-in OS-level identity verification based on zero knowledge proofs and tied to your government-issued digital ID. This also solves issues like preventing minors from accessing adult sites, etc.

I should not have to verify with 1000 third parties and hand over my personal data and then hope it's handled properly and doesn't get leaked. We have zero knowledge proofs and we can get OS makers to make this seamless for us.

[everdrive]

>There should be opt-in OS-level identity

This will be the end of a lot of things, to include the internet we grew up with in the 90s. It's holding on by a hair, but you can still visit personally-owned and hosted websites, and not run any non-free code.

[htag]

I agree that we need a better identity solution than sharing email addresses or phone numbers with hundreds of third parties. I disagree that digital identities should be tied to government records, or that networked identification is an operating system level problem to solve.

Problems with this approach:

1. Participation in the internet should not be contingent on being documented by a government.

2. There are ~200 countries, so this adaptation will require worldwide collaboration by a lot of parties. Governments and borders change or are disputed all the time. Are all 200 countries trustworthy as identity issuers on this network? Who decides who is trustworthy?

3. This will increase the leverage a government has over it's citizens, by giving them an avenue to cut their communication lines with the rest of the world.

4. Governments are notoriously slow for adapting new technologies. Governments are notorious for wanting backdoors in technologies. Can we trust them to keep this up to date, secure, and to migrate to any new advancements that are to come?

[mgraczyk]

This uses a government ID for the actual identity and most of the "verification". I'm not sure what more you're looking for? Facebook can't use zKP because existing government IDs don't support that.

And there is no OS in this case, it's a product feature for Facebook that allows users of Facebook to be told that Facebook verified the account's government ID.

[nibbleshifter]

There should be none of those things.

Fuck that.

[paganel]

That sounded like pure bait, which is rare on this forum.

[noisenotsignal]

There’s ID.me [0], which the IRS uses. They seem to be geared towards government services but I’ve always thought a natural extension is auth for other sites.

[0] - https://www.id.me/

[nitwit005]

It can't be a zero knowledge proof, since they need to specifically identify you. They actually need your personal data.

The adult content case is possible, as you're just asserting age.

[Traubenfuchs]

The EU now has eIDAS. All it lacks is widespread adoption.

[wkat4242]

This would be the mother of all tracking. Thanks but no thanks :) Privacy is important in this era of surveillance and datamining.

[tzs]

What I'd like is a hierarchical system.

You verify your identity with one or more level 0 identity services. Level 0 services would be the most secure, but as is often the case that heightened security would likely come with a cost. It would likely take some effort to establish your identity with a level 0 provider. It might also might take some effort to use a level 0 provider to prove you identity to someone.

Level 1 services would be built on top of level 0. You make an account at a level 1 service using a level 0 service to prove your identity. Level 1 is likely not as secure as level 0, but it is easier to work with and to use when providing identity to someone else.

Similarly, level 2 builds on level 1, and so on. Some of the services at these levels might function both as identity verifiers and as providers of end user services.

Level 0 would best be handled by long lived entities that have actual offices that you can visit. Banks would be a good candidate for providing level 0. To set up an identity account at level 0 you'd have to show up in person and with whatever proof of identity is generally required in your jurisdiction to prove identity.

Some good entities that might provide level 1 service are domain registrars and email hosting companies. The key things they would have to do to be a level 1 service is (1) let you associate your account with an identity proof from a level 0 service, and (2) set a flag on your account that says anyone claiming to be you trying to recover from a lost password or lost 2FA token or something must verify against the level 0 service to prove they are really you before recovery is allowed.

Lets say I'm using my domain registrar for level 1.

For me then level 2 might be my email host. An email host acting at level 2 for someone with their own domain would be similar to an email host acting at level 1, except you associate the account with the domain and anyone trying to take the account has to prove ownership of the domain.

Below that I'd then use my email as my identity at places like Facebook, my ISP, Amazon, and anyplace else I need to create an account. Account recovery would require being able to respond to emails sent to me.

Then maybe below that I might use login by Facebook or login by Apple at a few places. (I normally just go for traditional email/password if I can, but sometimes a site or service makes that so painful I give up. For example the McDonalds mobile app. But that's a rant for another time...).

Level 0 providers would also provide something like certificates of identity. That would be a way to get a certificate from them that says that at the time the certificate was issued the person with real identity X, which they have verified in person, is also the person with email address Y (or telephone number Z or whatever), and they have verified this.

So if I need to prove to say Facebook who I really am, I can get such a certificate from my level 0 provider and give Facebook a copy.

With this we can continue to use the fairly simply way we identify ourselves to most sites (email), but if we have to we have a good way to prove real identity, and we have a reliable way to recover if our account at a site gets compromised by anyone short of a major state actor.

If end sites get compromised, email recover works. If email gets compromised, that can be recovered based on domain ownership, and then once email is recovered end sites that were compromised via the compromised email can be recovered. If my domain gets compromised that can be recoved by going to my level 0 and using that for domain recovery, then I can recover email, and then end sites.

[blobster]

This sounds very reasonable. Some of the replies in this thread are misinterpreting what I said. I didn't say the government should run the APIs etc, just that we already have identity in the real world and it generally works, so we can use that (but maybe not necessarily only that, there could be other options too). I should be able to use my Gov ID to get a Layer 0 verification from some provider, which then integrates with higher level providers, etc.

And again, it would be opt in, just like verifying with Facebook / Twitter etc is opt in. And for people who are concerned about government surveillance, they can already do that if you verify your social media account via your credit card, that's kind of the point there, that the credit card ties a social media account to a real world person.

[wfbarks]

* Tim Cook has entered the chat *

[kerpotgh]

This would completely kill fluid discourse. People would not want to post anything controversial since it could be tied back to them. That being said I’m illogically for it.

[gjsman-1000]

Yes… but then you have the same arguments that are used to claim Voter ID is voter suppression…

[dagmx]

Voter ID is only suppression if access is difficult.

Does it cost money? It’s a problem

Is it only available in certain neighborhoods? It’s a problem.

Are you unable to get it on vote day? It’s a problem.

Other countries have solved this by doubling down on making voting easy to do.

The problem with many attempts at voter ID in the USA is that they’re thinly veiled attempts at disenfranchisment because they purposefully don’t address the above issues.

[epgui]

Not if it's opt-in and not required to access critical services.

[lmm]

People want to use this for critical services. I already found I couldn't contact my country's passport agency except by Twitter, for example.

[mertd]

Then what is the value proposition?

[gonzo41]

In other countries, they exist, to vote you just register with the independent voting commission, and on the day they confirm your registered address and give you the paper forms. No voter id required.

The OP can verify with proper ID and be safe. The gov just needs to regulate that rather than keep copies of all the originals. They just have something like a checkbox, where you're either verified or not and a human / smart system is involved and no record is permanently kept of the docs.

Anyway, I don't anticipate this feature working out for meta.