We already do identity verification in the real world, it's called government issued IDs.
There should be opt-in OS-level identity verification based on zero knowledge proofs and tied to your government-issued digital ID. This also solves issues like preventing minors from accessing adult sites, etc.
I should not have to verify with 1000 third parties and hand over my personal data and then hope it's handled properly and doesn't get leaked. We have zero knowledge proofs and we can get OS makers to make this seamless for us.
This will be the end of a lot of things, to include the internet we grew up with in the 90s. It's holding on by a hair, but you can still visit personally-owned and hosted websites, and not run any non-free code.
I agree that we need a better identity solution than sharing email addresses or phone numbers with hundreds of third parties. I disagree that digital identities should be tied to government records, or that networked identification is an operating system level problem to solve.
Problems with this approach:
1. Participation in the internet should not be contingent on being documented by a government.
2. There are ~200 countries, so this adaptation will require worldwide collaboration by a lot of parties. Governments and borders change or are disputed all the time. Are all 200 countries trustworthy as identity issuers on this network? Who decides who is trustworthy?
3. This will increase the leverage a government has over it's citizens, by giving them an avenue to cut their communication lines with the rest of the world.
4. Governments are notoriously slow for adapting new technologies. Governments are notorious for wanting backdoors in technologies. Can we trust them to keep this up to date, secure, and to migrate to any new advancements that are to come?
This uses a government ID for the actual identity and most of the "verification". I'm not sure what more you're looking for? Facebook can't use zKP because existing government IDs don't support that.
And there is no OS in this case, it's a product feature for Facebook that allows users of Facebook to be told that Facebook verified the account's government ID.
There’s ID.me [0], which the IRS uses. They seem to be geared towards government services but I’ve always thought a natural extension is auth for other sites.
You verify your identity with one or more level 0 identity services. Level 0 services would be the most secure, but as is often the case that heightened security would likely come with a cost. It would likely take some effort to establish your identity with a level 0 provider. It might also might take some effort to use a level 0 provider to prove you identity to someone.
Level 1 services would be built on top of level 0. You make an account at a level 1 service using a level 0 service to prove your identity. Level 1 is likely not as secure as level 0, but it is easier to work with and to use when providing identity to someone else.
Similarly, level 2 builds on level 1, and so on. Some of the services at these levels might function both as identity verifiers and as providers of end user services.
Level 0 would best be handled by long lived entities that have actual offices that you can visit. Banks would be a good candidate for providing level 0. To set up an identity account at level 0 you'd have to show up in person and with whatever proof of identity is generally required in your jurisdiction to prove identity.
Some good entities that might provide level 1 service are domain registrars and email hosting companies. The key things they would have to do to be a level 1 service is (1) let you associate your account with an identity proof from a level 0 service, and (2) set a flag on your account that says anyone claiming to be you trying to recover from a lost password or lost 2FA token or something must verify against the level 0 service to prove they are really you before recovery is allowed.
Lets say I'm using my domain registrar for level 1.
For me then level 2 might be my email host. An email host acting at level 2 for someone with their own domain would be similar to an email host acting at level 1, except you associate the account with the domain and anyone trying to take the account has to prove ownership of the domain.
Below that I'd then use my email as my identity at places like Facebook, my ISP, Amazon, and anyplace else I need to create an account. Account recovery would require being able to respond to emails sent to me.
Then maybe below that I might use login by Facebook or login by Apple at a few places. (I normally just go for traditional email/password if I can, but sometimes a site or service makes that so painful I give up. For example the McDonalds mobile app. But that's a rant for another time...).
Level 0 providers would also provide something like certificates of identity. That would be a way to get a certificate from them that says that at the time the certificate was issued the person with real identity X, which they have verified in person, is also the person with email address Y (or telephone number Z or whatever), and they have verified this.
So if I need to prove to say Facebook who I really am, I can get such a certificate from my level 0 provider and give Facebook a copy.
With this we can continue to use the fairly simply way we identify ourselves to most sites (email), but if we have to we have a good way to prove real identity, and we have a reliable way to recover if our account at a site gets compromised by anyone short of a major state actor.
If end sites get compromised, email recover works. If email gets compromised, that can be recovered based on domain ownership, and then once email is recovered end sites that were compromised via the compromised email can be recovered. If my domain gets compromised that can be recoved by going to my level 0 and using that for domain recovery, then I can recover email, and then end sites.
This sounds very reasonable. Some of the replies in this thread are misinterpreting what I said. I didn't say the government should run the APIs etc, just that we already have identity in the real world and it generally works, so we can use that (but maybe not necessarily only that, there could be other options too). I should be able to use my Gov ID to get a Layer 0 verification from some provider, which then integrates with higher level providers, etc.
And again, it would be opt in, just like verifying with Facebook / Twitter etc is opt in. And for people who are concerned about government surveillance, they can already do that if you verify your social media account via your credit card, that's kind of the point there, that the credit card ties a social media account to a real world person.
This would completely kill fluid discourse. People would not want to post anything controversial since it could be tied back to them. That being said I’m illogically for it.
Voter ID is only suppression if access is difficult.
Does it cost money? It’s a problem
Is it only available in certain neighborhoods? It’s a problem.
Are you unable to get it on vote day? It’s a problem.
Other countries have solved this by doubling down on making voting easy to do.
The problem with many attempts at voter ID in the USA is that they’re thinly veiled attempts at disenfranchisment because they purposefully don’t address the above issues.
In other countries, they exist, to vote you just register with the independent voting commission, and on the day they confirm your registered address and give you the paper forms. No voter id required.
The OP can verify with proper ID and be safe. The gov just needs to regulate that rather than keep copies of all the originals. They just have something like a checkbox, where you're either verified or not and a human / smart system is involved and no record is permanently kept of the docs.
Anyway, I don't anticipate this feature working out for meta.
Yes. There's a separate queue for sites that need js rendering and it eats much more into your crawl budget. Best way to avoid it imo is to use something like Rendertron, which is made and recommended by Google.
They often show a "Mac version" of those for MacOS users. It doesn't matter much that the warning doesn't exist in the system. They're not targeting people who know that.
There are several such cases discussed in the Cloudflare forums. It usually turns out that the webmaster was serving very large amounts of media, which no one should expect to be free.
This is why we need good OS-level password managers. Phones and now computers have dedicated security chips which are infinitely more secure than any cloud solution. Such an easy market to grab that it boggles me why Apple and Google aren't aggressively going for it.
Apple and Google both have solid options here, and I'm a happy user of Google's. But I also wouldn't want either of them to push their solutions aggressively, for competition reasons.
Do you consider your passwords to be "disposable" or easily replaceable? I could never trust Google with hundreds of passwords. The thought of their AI going haywire and essentially locking me out of the internet is terrifying.
> The thought of their AI going haywire and essentially locking me out of the internet is terrifying.
I think this is really unlikely; since https://news.ycombinator.com/item?id=34092956 I've been gathering lockout reports on HN and they're mostly things like adding a phone number to your account and then forgetting about that when switching numbers.
iCloud Keychain syncing, strong password suggestions in Safari, and WebAuthn passkeys are all part of Apple's strategy. When they don't buy a third party and deeply integrate it, they tend to operate by insinuating themselves as the platform default. What would you have them add to that?
Their "password manager" on Mac is called Keychain Access. The UX is very bad, the interface is old and clunky and it doesn't sync with iOS (if for example you create a secure note there's no way to access it on iOS) - not to mention that most people don't even know it exists, it's kind of a hidden feature. Meanwhile, on iOS the password manager is hidden in the settings and again it has pretty bad UI/UX. I understand that they want to hide the complexity away from the end user and make these kinds of features "just work", but in practice they feel pretty half-baked.
I agree that Keychain Access kinda sucks, but it's because Apple UI paradigm for it is different. For them, the Password Manager isn't a separate entity that's a source for copy-pasting passwords into arbitrary apps, instead it's a core Framework of the OS that apps integrate with. As such, it doesn't really have "its own UI" because each app provides the UI.
Of course, that does mean that it's less universally convenient like the other commercial apps.
As usual with Apple stuff, I guess they're not interested in making it a better separate app because their value proposition is "use our frameworks and get this feature 'for free' "
I’d say - ability to use it across platform or across system accounts. I like to use my personal LastPass when logged into my work laptop with corp account. Mind you, not to store work passwords, no, to have access to e.g. my Amazon account.
Additionally, I share my LastPass with my partner. Probably not a setup for most, but we find it convenient.
All that is achievable only when the password manager is not tied to the system login.
Well, they're not custodians exactly. The way they work is not really cleanly analogous to the system OFAC is designed to interact with.
1 is true, but reframed: tools people use de facto decide what infrastructure they run on, and therefore what infrastructure those people use their tools on. it's not as controversial when framed in an unbiased way. We are just describing network effects.
As far as the twitter thread goes, there's a 3rx option: the big validators can no longer validate. Remember, validators aren't the only ones that validate blocks, all nodes do, validators validate transactions and finalize epochs. If they refuse to validate a valid block proposed by another validator that the rest of the network sees is valid, they basically have to fork themselves off onto their own, valueless chain. If most validators start refusing to finalize blocks, their stake gets slashed and they no longer validate. They have no choice but to violate OFAC if it is deemed that finalizing a block which contains transactions they didn't and wouldn't include is a violation, so in that scenario they'd have no choice but to stop validating. The other side of this hill to me looks like a lot of decentralized, anonymous validators, and I'm happy with that.
Interesting, but this does not seem to match empirical evidence by the likes of Ahrefs, which suggests that links are by far the most important ranking factor.
There should be opt-in OS-level identity verification based on zero knowledge proofs and tied to your government-issued digital ID. This also solves issues like preventing minors from accessing adult sites, etc.
I should not have to verify with 1000 third parties and hand over my personal data and then hope it's handled properly and doesn't get leaked. We have zero knowledge proofs and we can get OS makers to make this seamless for us.