Sure, it's possible to "revoke" a physical ID, just not in the sense we commonly mean when talking about these things in a digital context. For example a cop or bartender physically taking your ID can be described as revoking it.
Other than taking the physical document, what is there to revoke? The state unilaterally declares Bob Smith's name is no longer Bob Smith? The state declares that one of Bob Smith's names is no longer #12345678?
I think your point is that physical IDs could be augmented with an online digital revocation method - every issued ID could have a serial number, for which there could be an online database to look up whether that specific issued credential has been reported lost or stolen. But that seems like just another give away to banks (etc) of one more talking point to hassle their own victims with - "When we were defrauded by someone presenting your ID, you had not yet reported it stolen, which [somehow] means that you are responsible for covering our losses". Never mind the Kafkaesque situation of someone being suddenly told that the document they're carrying is no longer valid due to some unknown-to-them happenings (this is already bad enough with things like car registrations).
Really, the biggest problem with identity-based fraud continues to be aligning the incentives, such that the negligent institutions that get defrauded can no longer externalize the damage they caused onto everyone else. The extreme hassle of us having to clean up the banks' messes is the only reason this is a subject of popular concern.
> Other than taking the physical document, what is there to revoke? The state unilaterally declares Bob Smith's name is no longer Bob Smith? The state declares that one of Bob Smith's names is no longer #12345678?
The state revoking the statement "license #12345678 is a valid credential for Bob Smith".
> I think your point is that physical IDs could be augmented with an online digital revocation method - every issued ID could have a serial number, for which there could be an online database to look up whether that specific issued credential has been reported lost or stolen.
Yes, that's exactly what some ID-issuing entities already do! That's why e.g. US Department of State strongly advises against traveling with a passport previously reported lost or stolen [1].
I don't think this is commonly available to non-governmental ID-validating entities such as banks in the US, but it arguably ought to be.
You raise a very good point on banks potentially attempting to shift liability to customers for any resulting fraud – that's something that would have to be legally clarified before such a system is made available widely.
That, and the fact that banks would still not want to miss out on the significant volume of online account openings, which would actually require a digitally-verifiable credential (the "photo of ID" pattern is truly absurd), are probably the primary reasons for why this does not exist yet in the US (with a healthy dose of historical distrust in government institutions and some immigration-related state vs. federal disputes sprinkled on top).
> The state revoking the statement "license #12345678 is a valid credential for Bob Smith".
"#12345678" as I used it was the "driver's license number". This isn't a serial number for the issued credential, but rather a numeric name for the given person. Adding a serial number for each issued credential such that there can be an online revocation protocol might make sense, but it's not what we have now.
Banks, and especially online banks, are definitely optimizing for account opening convenience rather than caring about fraud. They could most certainly require a notarized form to open an account (which requires verifying an ID in person), they'd just rather not because it would interrupt some new customers signing up. Which is why I say the main regulatory reform we need starts with making them fully cover the damage they've opted for. If they continue to make the same tradeoff that's fine - as long as they stop harming the public with the backscatter.
Also as I said in my original comment, we need a privacy law like the GDPR before it makes sense to support any smoother systems of authentication. The existing identification systems are already being abused so routinely and thoroughly by the surveillance industry, so this isn't an abstract concern. As things currently stand there are virtually no regulations on creating surveillance dossiers, so the more friction keeping businesses away from frivolously asking for ID (and then backhauling your activity), the better.
At least my license has a document ID in addition to the license ID.
There's also a barcode on the back that looks high-entropy enough that it could at least contain a URL, and maybe even a digitally signed statement by the issuing authority.
Between these two things alone, it should be possible for an issuing authority to publish a document number revocation list that verifiers can query in a privacy-preserving way (i.e. without the issuer learning who's checking somebody's license when)
> the more friction keeping businesses away from frivolously asking for ID (and then backhauling your activity), the better.
Is it, though? Banks and even random places like Airbnbs still regularly ask me for a photo of my driver's license for all kinds of purposes, so arguably this is the worst of both worlds: Pervasive data collection without actual security against fraud.
How would this be any worse if the ID verification was at least more secure, if not hopefully also more private (which is more likely with a digital signature than with a photo of a license in any case; how would you anonymize the photo of something inherently identifying)?
Other than taking the physical document, what is there to revoke? The state unilaterally declares Bob Smith's name is no longer Bob Smith? The state declares that one of Bob Smith's names is no longer #12345678?
I think your point is that physical IDs could be augmented with an online digital revocation method - every issued ID could have a serial number, for which there could be an online database to look up whether that specific issued credential has been reported lost or stolen. But that seems like just another give away to banks (etc) of one more talking point to hassle their own victims with - "When we were defrauded by someone presenting your ID, you had not yet reported it stolen, which [somehow] means that you are responsible for covering our losses". Never mind the Kafkaesque situation of someone being suddenly told that the document they're carrying is no longer valid due to some unknown-to-them happenings (this is already bad enough with things like car registrations).
Really, the biggest problem with identity-based fraud continues to be aligning the incentives, such that the negligent institutions that get defrauded can no longer externalize the damage they caused onto everyone else. The extreme hassle of us having to clean up the banks' messes is the only reason this is a subject of popular concern.