HackerTrans
TopNewTrendsCommentsPastAskShowJobs

myrion

no profile record

comments

myrion
·3 ay önce·discuss
I don't use old Reddit, and haven't noticed this behaviour either.
myrion
·5 ay önce·discuss
Well, yes, if they use something completely different to what's published and designed.

But no, we're not talking about the case where there's no trust at all in the government, because then you don't get verifiable credentials at all. We're talking about building privacy-preserving credentials that actually have a use.
myrion
·5 ay önce·discuss
That's not how that works - they can prove they check by showing logs, rather than VPs. There's even legal limits on what identifiers they can store and for how long. But even ignoring that, they'd be storing only very limited disclosures.

The base registry stores identifiers of issuers and verifiers, not credential holders.

Even the status register does not contain the tokens themselves:

> Within these status lists, each index (i.e., status entry) documents the validity of one VC. The corresponding index is captured in the VC’s metadata to allow for a decentralized status information retrieval that does not require verifiers or the VC holder to contact the issuer.

Of course, each issuer needs to maintain a list of the credentials they have issued in order to be able to ever revoke them. That's unavoidable.
myrion
·5 ay önce·discuss
In the Swiss system, it depends on what they verified. If they required your full ID, that has a document number like a passport and they could track that.

If they did the right thing and only asked for the over 18 bit, then they wouldn't have a trackable identifier.
myrion
·5 ay önce·discuss
There's no dynamic analysis done, necessarily. In the Swiss design, fex, SD-JWTs are used for selective disclosure. For those, any information that you can disclose is pre-hashed and included in the signed credential. So `over_18: true` is provided as one of those hashes and I just show this to the verifier.

The verifier gets no other information than the strictly necessary (issuer, expiry, that kind of thing) and the over 18 bit, but can trust that it's from a real credential.

That's not strictly a zero knowledge proof based system, though, but it is prvacy-preserving.
myrion
·5 ay önce·discuss
The revocation checking is implemented in a way where the government doesn't know who you checked and you can even cache the information (if that's good enough for you) so they won't notice at all.
myrion
·5 ay önce·discuss
That assumes the companies store the individual tokens, as does the government. Neither of which are part of the design, but could be done if both sides desired it.

The Swiss design actually doesn't store the issued tokens centrally. It only stores a trust root centrally and then a verifier only checks the signature comes from that trust root (slightly simplified).
myrion
·6 ay önce·discuss
Schweissen und löten. Has nothing to do with Switzerland (Schweiz) ;)
myrion
·8 ay önce·discuss
Because politicians make laws, and those affect the "legal hurdles" that companies need to deal with.
myrion
·9 ay önce·discuss
Considering that companies will do everything to avoid doing sensible things that cost money - yes, of course the government has to step in and mandate things like this.

It's no different from safety standards for car manufacturers. Do you think it's ridiculous that the government tells them how to build cars?

And similarly here: If the company is big enough / important enough, then the cost to society if their IT is all fucked up is big enough that the government is justified in ensuring minimum standards. Including for backups.
myrion
·geçen yıl·discuss
There's no much difference between the two positions, and the former is very much a lead-in to the latter.
myrion
·geçen yıl·discuss
FIDO authenticators. If the "autofill" doesn't work, you can't be tricked into overriding it.