zlacker

[parent] [thread] 2 comments
1. flagra+(OP)[view] [source] 2023-07-27 12:21:32
There's a lot of trust in that model. I would have to trust that the web server isn't passing extra information like the page I visited, that the government isn't passing back extra info like a unique identifier, and that the scripted strong is completely anonymous and single use.

If any of that trust is broken my privacy is at risk.

> And before someone talks about the state knowing your browser history: they already can by calling up your ISP, and they would get a lot more information than this mechanism would provide.

That depends on how you browse the internet today, and how the ISP tracks it. Simply using a different DNS service goes a long way, and using a VPN or the tor network may not be totally fool proof but should get around the basic drag nets am ISP is likely to use.

replies(1): >>solati+fJ
2. solati+fJ[view] [source] 2023-07-27 15:36:33
>>flagra+(OP)
> there's a lot of trust in that model

No, there isn't. It's basically an OAuth login flow. The spec is publicly documented, anyone can register applications and check if the government is responding as desired, both by correctly requesting auth for the correct scopes in the government-hosted auth page, and by checking that the data returned from the gov matches what the spec promises.

replies(1): >>Anthon+Mp1
◧◩
3. Anthon+Mp1[view] [source] [discussion] 2023-07-27 18:08:31
>>solati+fJ
OAuth isn't designed to be secure against token issuers conspiring with services to deanonymize users.
[go to top]