The proof said yes.
Then the status changed and the system kept going anyway.
Thats the one I can’t stop staring at on @MidnightNetwork .
Not the clean one. Not the one where selective disclosure does its nice civilized thing and somebody proves an identity condition without dumping the whole file out in public. That part is good. Midnight should be good at that. Public chains are awful the second identity gets involved. Too much exposure. Too much permanence. Too much pointless theater around records that were never supposed to become public in the first place.
Fine.
The ugly part starts later.
Because identity is not a one-time fact. Not in any serious system. Credentials expire. Risk flags get added. Sanctions lists update. Residency status changes. Internal policy changes before the app catches up. One team thinks the old proof is still good. Another thinks it died yesterday and nobody told the rest of the system.
And that’s where it starts getting expensive and annoying.
Take a private onboarding flow on Midnight for access to some regulated financial product. User proves they satisfy the identity condition without exposing the whole record. Residency bucket clears. KYC category clears. Sanctions check clears. The proof verifies. Access gets opened. Nice. Very Midnight. Everybody gets to feel like the system finally learned some manners.
Then Thursday happens.
The upstream identity provider updates the status. Maybe a credential expires. Maybe a watchlist hit appears. Maybe the person is still the same person but the category the app depended on is not the same anymore. Friday the app still treats Tuesday’s proof like it means something.
Access is still open. The old yes is still carrying weight. Nobody seems totally sure whose job it was to turn it off.
That’s not a side effect. That’s the problem.
Not fake proof.
Worse. Stale yes.
And stale yes is worse than people admit because it looks valid right up until somebody asks whether anyone was supposed to kill it when the status moved.
The proof only answered Tuesday. Thursday changed the file. Friday the app was still walking around with Tuesday’s answer like nothing happened.
I’ve seen enough systems do this with timestamps alone. Identity just makes it uglier.
Midnight can make identity-linked verification less invasive. Good. It does not make identity state stop aging.
That’s where the nice story starts looking a little fake.
Because once identity sits inside a privacy-first system, the thing that changed may itself be hidden, partially disclosed, or controlled by another institution that doesn’t want to reopen the whole file every time some downstream team says, wait, is this still true?
Now you’ve got a proof that was right on Tuesday.
A status that moved on Thursday.
Access still open on Friday.
And four different teams quietly assuming somebody else owned the job of killing the old yes.
Bank partner says re-check it.
App team says the proof satisfied the rule the product was built around at the time.
Compliance says access should have been suspended when the status changed.
Ops gets a lovely little mess where the process is technically coherent and still obviously not okay.
One system thinks re-check happens on schedule. Another thinks status changes should hit immediately. Same user. Same file. Different clocks. That’s where the whole clean story starts feeling a little fake.
That’s not some weird corner case. That’s identity behaving like identity while software pretends time is optional.
And Midnight inherits that problem the second it touches onboarding, credentials, KYC-heavy products, or anything where eligible is true for a while and then maybe not.
This is the part that keeps privacy systems honest, or exposes them. Not whether they can prove the condition once. Whether they know what to do after the condition stops being true and the rest of the system has already wandered off with the old answer.
Because by then the argument is not really about privacy anymore.
It’s about freshness, sure, but more than that it’s about ownership. Who was supposed to push the stop signal through before the old yes kept floating around like it still had authority. And if that answer is some other system eventually, then great, now the old yes is still sitting inside the process with authority it shouldn’t have, and the real job becomes figuring out who gets to shut it down without peeling the whole identity record open wider than anybody wanted.
Not because Midnight failed.
Because the proof worked, the system moved, and the part that expired was the thing nobody wanted to expose in the first place.
So yeah, Midnight can absolutely prove someone was eligible.
What the nice clean version does not like talking about is what happens when that eligibility changes later, quietly, upstream, and the private system downstream keeps acting like yesterday’s answer is still alive.
By then nobody’s arguing about the proof anymore. The fight is over who was supposed to kill the old answer, and why it stayed alive this long.