Your idea becomes useless for deterrence from the "automatically deleting" point. The only benefits for having users who are "real person with an honest identity" accrue when people either can't make many accounts (so banning an user actually bans them instead of simply makes them get a new account) or when you can identify them in case of fraud or child sexual abuse material or some such.
So at the very least the "identity provider" absolutely needs to keep a list of all real identities offered to a particular service; otherwise the bad actors will just re-verify some identity as many times as needed.
But if you give up the "hard privacy" requirement, then technically it's possible. It would also mean that the identity provider would sometimes get subpoenas to reveal these identities.
Yeah but making it difficult to create multiple accounts increases the power of a ban. It may not catch a CSAM distributor if the ID provider doesnt keep logs, but it will make it easier to prevent CSAM (and other illegal stuff and spam) on a website/app since its much harder for those people to create multiple accounts.
> So at the very least the "identity provider" absolutely needs to keep a list of all real identities offered to a particular service; otherwise the bad actors will just re-verify some identity as many times as needed.
The website operator is the one independently banning the ID, not the ID provider. Sure, someone could create multiple IDs on multiple ID providers to dodge those bans, but that’s harder to do, and there could also be a fee charged for each verification request.
I could see this also providing ID services for certain niches, like if you want to create a forum for registered nurses only, you could allow registrations only from ID providers that check those credentials. (Or give verified users a special badge, etc). The damn thing could be gamified.
I just worry that, in the real world, this idea will devolve into the dsytopian nightmare that is China’s social credit system no matter how hard anyone tries to prevent it. All it would take is one well placed “think of the children!” argument to justify invasive tracking and data collection/retention.
…but man, if this world didnt suck so bad, a system like that could really help clean up the internet.
So at the very least the "identity provider" absolutely needs to keep a list of all real identities offered to a particular service; otherwise the bad actors will just re-verify some identity as many times as needed.
But if you give up the "hard privacy" requirement, then technically it's possible. It would also mean that the identity provider would sometimes get subpoenas to reveal these identities.