[Nursie]

> No, uploading identity documents is never a safe process.

You should probably stop pretending you understand verifiable credentials then.

Because if you did, you'd understand that they don't need to involve uploading identity documents anywhere.

The idea is to defer to service providers such as banks that have already performed such verification, often physically. And if you want to argue that banks should stop verifying who people are when they open accounts... well that's going to be an interesting conversation.

Without doxxing myself too much, I'm going to say that I know intimately the details of a project within Australia to build a standards-based non-government VC system that won't touch a single piece of ID at any stage, as an additional capability on a commercial identity system that's already active and in use.

[shakna]

KYC rules require the banks collect those, and keep them on an online portal. This information is held by the ABA - hence why they were falsely accused because of the infostealer breach last year.

I have absolutely not said banks should stop collecting ID. Collecting it in person is a fantastic idea. Holding it on an isolated network is difficult, but a good compromise, and banks are better suited to doing that than most.

Uploading it to a S3 bucket in Sydney, as the ABA do, is a moronic decision. That myID upload it to a Azure Blob in Sydney, is worse than I feel the need to explain.

If you think you can succeed, where literally no one else in the world has, good luck to you. But I expect the same result as Forticode.

[Nursie]

I believe that nobody's ID will be at risk of leaking, because it will never be handled in the first place, nor will it be accessed. So that's already better than most of the schemes people are upset about.

> But I expect the same result as Forticode.

What happened there? I can't find a lot of reference to it on the net other than "we make amazing security products" and then "entering liquidation", so clearly a lot went wrong!

It's always possible for people to make mistakes and do things badly, but I don't see "age verification" as some special case in the identity landscape that presents unique challenges. And the system is already in use without major issue (touch wood). Verifiable Credentials will be an addition to the platform at some point.