Is there a reputable identity provider that would verify a passport, SSN or similar, preferably in person, and link that to an OpenPGP key with metadata same as in the ID?
Similar to this service, but linking not just the name, but more secure unique identity data. Linking the person’s name to the key is not very useful, since there are many people with that name.
That’s basically a government issued smart card, that would allow the use of OpenPGP A-E-S keys for arbitrary data through a FOSS API.
eID pretty much replicates Keybase, except it's concerned with real world identity (matching your given and surname to your pubkey) rather than pseudonymous identity (matching your twitter handle or reddit account or whatever else to your pubkey).
> that would allow the use of A-E-S keys for arbitrary data through a FOSS API.
You can use your ECC (or RSA) keypairs to negotiate an AES or chacha+poly session key. Most cryptosystems do that (ECDHE, or DHE for RSA) now since:
1. session keys are faster (in terms of CPU) than just encrypting with the remote's pubkey.
2. if the session key is stolen, you just get access to that session (perfect forward secrecy).
3. group chats just store the session key encrypted chat, plus copies of the session key encrypted with everyone's pubkey, to save storage.
A public key is a pretty bad identifier by itself. The combination of a good identifier with a public key/certificate binding to it is pretty powerful, though.
The US has a good public identifier (SSNs), but they are completely unauthenticated. German arguably has the opposite: Widely available e-signature capable ID cards – but they only bind to your name (and DOB).
I'm not sure you understand Germany. They barely emerged from one of the most oppressive surveillance regimes ever created and rightly vowed to make it as difficult as possible to arrive there again; everything you've just described is taboo if not illegal. Even using a dashcam is tightly regulated.
In new zealand there's a log in service used by the government across all services called realme, you can't link a pgp key etc but you do verify yourself in person with license or passport. it works quite well
Clear (https://www.clearme.com) could have the business market LOCKED UP if they would - on an opt-in basis - tie their biometic data to an OpenPGP key. Its been proposed to them in the past but I think they suffer from myopia.
Their business model isn't identity. It's rev share with airports to cut the TSA line. The biometrics are theater as part of the product. (control-F "Risks Related to Our Business, Brand and Operations" from Clear Secure's most recent 10-K)
> Clear doesn’t do any actual security screening of passengers, a process reserved solely for the TSA. The New York-based company verifies customers’ identities and escorts them to the front, using revenue-sharing agreements with the airports or airlines that control the lines to secure an advantage for its fliers.
Wait they really do nothing more than verify identity? As in the same the the person working there does checking ID? Is the only purpose to get people to cut the line but to add smoke and mirrors so it seems like that’s not the point? If that’s the case, why don’t airports just let people pay to cut the line?
> If that’s the case, why don’t airports just let people pay to cut the line?
They do. That is what Clear is for (just as Ticketmaster takes the heat for venues or artists taking more from customers via fees). You mean "why don't they make it more overt?" That's a great question.
Yeah my point was why don’t the make it more overt? I mean we’re talking about airports here. Airlines nickel and dime you more and more. I’m surprised airports wouldn’t just be open about. I mean there are already priority lanes and first class etc. Why hide the purpose of clear?
I think there’s some sort of revenue share. At the end of the day, all they do is a IAL-2 in-person or online validation (not sure if they do that in all cases) of your drivers license. They the link that to a biometric, which may or may not also be IAL-2.
Personally, I don’t get the point. I can pay for clear and avoid a line at Yankee stadium because they validated my drivers license and confirmed that I’m not a felon. If I am a felon, some dude looks at my backpack and I experience the same outcome.
I worked with a few of these things during the pandemic. They are all vulnerable to frauds with online validation. If you care about that, the best option is something like Idemia with in-person validation.
Holy shit! I didn’t realize Clear existed outside airports. So they are just some general purpose line cutting company? Presumably they track a shitton of information on people cutting lines, and both profit off of people paying them and the information they gather. I wish I’d could say that business getting a proposal to partner with Clear would tell them to take a hike, but I guess few American companies really have any integrity left.
Similar to this service, but linking not just the name, but more secure unique identity data. Linking the person’s name to the key is not very useful, since there are many people with that name.
That’s basically a government issued smart card, that would allow the use of OpenPGP A-E-S keys for arbitrary data through a FOSS API.
Keybase was a good idea, but it’s semi dead.