ID Verification Scenario


#1

Hey guys can someone explain how a scenario like this would work.

Suppose I want to purchase alcohol from an online website. I want to prove that I am 21. I upload my id to an enigma based verification app. The verification app confirms my age, reports it to the alcohol website and I can purchase alcohol.

My questions are:
Who verifies that id? If it’s a 3rd party app that verifies, that means they will have access to the data on my id?
How do they know it’s not a fake id?
How do they know that when I log in to purchase the wine, it will always be me purchasing and not somenone else using my id?


#2

Hi @Cryptojoe – good question. There are a few ways this works currently (there is no determination about how it should be done specifically in Enigma, it would be up do the dApp developer / implementer).
This is generally called a “verifiable claim” in the DID specifications.

  1. Whoever creates the dApp (in this case, let’s say the wine-seller) must decide what types of verifiable claims they accept. For example, they may say “only claims signed by the city”.
  2. The burden of proof is on the signer of the claim. They can say “i will only sign this claim if you come in person, show me an ID, I call both your parents and the hospital you were born at, and then I carbon date your skeleton”. This would be a very trustworthy, if invasive, signed verifiable claim.
  3. This is tricky-- it could be someone else at the computer, but that person would then have access to your private key. I guess this would be like having your ID stolen by someone who looks very similar to you. Mitigations could include requiring a signature renewed within a certain time-frame, either by owner or by claim verifier.

Let me know if I can give more info! Signed verification doesn’t have a clearly defined general specification yet, but I believe a general answer to your question is: it depends on what entity the dApp developer is willing to trust (and whether that entity is willing to create a signed verifiable claim about you).


#3

Thank you for your reply. Basically is the case of an id, there still needs to be a centralized entity that verifies and confirms my identification. Once that has been done, no one else needs to see my identification by using enigma protocol to share the confirmation.