Remix clone Hacker News

new | show | ask | jobs Github

▲

zigzag312 3 days ago

Same token for multiple people would improve anonymity for sure.

But someone could share this token publicly and then everyone could have it.

▲

AnthonyMouse 3 days ago | parent [-]

> But someone could share this token publicly and then everyone could have it.

How is this any different than using any other way of doing it? It's always the case that someone can provide their ID and let someone else use it.

▲

zigzag312 3 days ago | parent | next [-]

If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle.

If someone uploads shared token publicly, it's hard to identify who did it and anyone can use it until you rotate the token for everybody.

	▲	AnthonyMouse a day ago \| parent [-]
		> If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle. This was the thing your proposal was supposed to do: > User hasn't revealed any PII data besides "is_over_18" value to the site and identity authority doesn't know which site user is accessing. If you have that, someone sets up a service that uses their ID (or a set of IDs from any data breach) to provide tokens to anyone. If the tokens can be mapped back to the IDs, the alleged privacy protection is fake. If they can't, you don't know whose ID is being used to generate tokens for third parties. Your choices are "no real privacy protection" or "you don't know who is sharing tokens" and the first one is unacceptable, at which point you might as well use the simpler system.

▲

OJFord 3 days ago | parent | prev [-]

In the solution you described as 'far more complicated than it needs to be', this is significantly mitigated by the inclusion of a valid_until timestamp.

	▲	AnthonyMouse a day ago \| parent [-]
		If this is actually a necessary component then you can just change the code for everyone once each ID renewal interval and then the old code expires once the last person with an ID with the old code has their ID expire.