top | item 46990928

(no title)

voxic11 | 17 days ago

the solution to this seems to be to issue multiple "IDs". So essentially the government mints you a batch of like 30 "IDs" and you can use each of those once per service to verify an account (30 verified accounts per service). That allows for the use case of needing to verify multiple accounts without allowing you to verify unlimited accounts (and therefor run into the large scale misuse issue I pointed out).

If you need to verify even more accounts the government can have some annoying process for you to request another batch of IDs.

discuss

hparadiz|17 days ago

This is a solved problem in the authentication space. Short lived tokens backed by short lived keys.

A token is generated that has a timestamp and is signed by a private key with payload.

The public key is available through a public api. You throw out any token older than 30 seconds.

Unlimited IDs.

That's basically what you want.

ongy|16 days ago

Which either allows to use a fingerprint of the signing key to be used for the same.

Or would open the system up to the originally posted attack of providing ~an open relay.