I was responding to the comment above mine, which was calling for attestation from the government for specific privileges.

> you get your sd-jwt document signed once and you reuse it for like 30 days or so

So it still gets routed through the government once a month if you plan on using it.

▲

hiciu 2 hours ago | parent [-]

Yes we are still talking about attestation from the government for the specific privilege part.

You get your document with fields like "can drive", "is over 18" and so on. It's valid for some time; physical ID is valid for like 10 years and then you have to get a new document, this digital one is valid for lets say 30 days and if it expires you get a new one.

Then you present only those fields you want, when you want, without anyone talking to the government at all. All the other party needs to check is "is the document valid" and "do presented fields match the document". Like checking a tls certificate for a given domain name or purpose.

Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it.

▲

Aurornis an hour ago | parent [-]

> Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it.

I don't understand how you keep claiming there is no "routing through the government" right next to your explanations that the government is the one providing the documents every 30 days.

Obviously something in the document is tied to your ID and the government has mechanisms to revoke it. No matter how many layers you put on top of that, this all has to come back to the government's control.

I understand that the salts can be sent to 3rd party websites. However there's obviously a reason that those are only valid for 30 days instead of indefinitely.

	▲	hiciu 40 minutes ago \| parent [-]
		Yes, something in the document is tied to my ID. There's my name in there for example :). I don't have to share that information, because what government signed is a uniquely salted hash of my name and passed the salt to me. If I choose to share that salt, and provide my name, someone could hash all that information and compare it to the government-issued document to verify if my name really is john smith (or if my claim "I'm over 18" is valid). If I don't, they have no way of knowing. > no "routing through the government" > government is the one providing the documents I'm also lost. I mean, this is the government issued ID we are talking about, right? How are you expected to get it if not from the government? "Are you over 18" claim is part of that government issued ID. They don't have to know which sites or when you are visiting, but they do have to issue you the document. (To be clear, there are also other options, it doesn't have strictly to be government; for example banks around here can provide ID documents - for their clients. There's a list of who is trusted for what https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/...). > However there's obviously a reason that those are only valid for 30 days instead of indefinitely. It's the same reason why we prefer tls certificates with short lifespans.