> I could’ve also generated as many valid government approved drivers licenses as I wanted to for anyone of my choosing.
This is a good example of how identity verification is mostly useless in existing systems like code signing. What value is being added if there’s no guarantee the signer’s identity isn’t fake? We might as well be self-signing at that point and I would argue that signing with a domain based identity (@example.com) is better than identity verification.
For example, I want code signed by @example.com, with the GitHub repo at github.com/@example.com, and the website at example.com. It’s time to get rid of all the ambiguity and (matching) handle chasing we have to endure to (try to) mitigate that ambiguity. Domain verified identities would be a huge step forward for good actors that want to (optionally) consolidate all their web assets and accounts under a single, matching, verified namespace.
I remember when MSU, Baroda had also leaked aadhaar/income certificate & other PII as a publicly accessible storage bucket. All of which then got scraped into Google images....lol
This is a good example of how identity verification is mostly useless in existing systems like code signing. What value is being added if there’s no guarantee the signer’s identity isn’t fake? We might as well be self-signing at that point and I would argue that signing with a domain based identity (@example.com) is better than identity verification.
For example, I want code signed by @example.com, with the GitHub repo at github.com/@example.com, and the website at example.com. It’s time to get rid of all the ambiguity and (matching) handle chasing we have to endure to (try to) mitigate that ambiguity. Domain verified identities would be a huge step forward for good actors that want to (optionally) consolidate all their web assets and accounts under a single, matching, verified namespace.