That protocol is simplified to the point where it makes no sense and thus we cannot really evaluate its security, but yeah, I was glad to see that you do get around to semi-acknowledging that a scheme like that would need to rely on some kind of service like Tor to begin to provide any semblance of privacy. Even then the central authority would have a record of it every time each of us hit an age gate, which is valuable metadata to be giving away whether or not it's probably just pornography.

Lots of people seem eager to claim that it can feasibly be done in a privacy-safe way but I still have yet to be convinced of it.

And it's all just to set up a new system of oppression with the other problems you mention. It seems utterly ridiculous.

One particular way in which the story makes no sense to me: The website wants to ask a question about "the visitor." How does it identify the visitor in its message to the central authority? If nothing prevents it, said visitor could simply pass the question on to Charlie's Web Age Verifier Bypass Service down the road which is in posession of an age-appropriate keypair, and relay the response in an automated fashion. How does one prevent that?

I mean it's not as if people wouldn't do it. Borrowing an older kid's ID to buy beer was commonplace when I was younger. Imagine if it could be done automatically, instantly, on a large scale. Shutting down The Pirate Bay is already nigh-impossible for the powers of law and order, it seems. Imagine if every kid had to use it if they wanted to connect to Instagram.

@kbal @panoptykon the website does not identify the visitor to the e-ID service, that's what the trusted app on the visitor's device is for.

The website provides a question and an URL to the trusted app. The trusted app sends a request containing the question, signed with the visitor's key, to the e-ID service. The e-ID service responds with a signed response also containing the question, to the trusted app. The trusted app then forwards that response to the website, using the URL.

@kbal @panoptykon the website knows it's a response related to this particular visit thanks to the nonce. And then verifies the signature on the response against a well-known long-term public key of the e-ID service.

Obviously the e-ID service is not any e-ID service. Perhaps it's government-run. Perhaps it is run by institutions that are somehow "anointed" by the government.

Okay, there is a nonce. Presumably it is negotiated somehow to prevent the Website from hiding any info in it. But then the question for the ID server is simply "Does a user who knows this nonce have access to a keypair indicating the right age range?" The user (i.e. the "trusted app" that is in their control) can then simply send that question off to Charlie or whoever and get the desired answer to relay to the Website without revealing to anyone any secrets of their own. The ID server has no way to know it was proving the age of the wrong person, the Website doesn't know who it actually got an age for, and neither can identify the actual user.

I think the people implementing these age verification schemes do want to try and defend against that sort of thing, because both the ones I've seen so far in reality (the one from Spain and some other thing a couple years ago that was closer to your idea) seem to have willingly sacrificed any semblance of privacy in their efforts to prevent it.

@kbal

> The ID server has no way to know it was proving the age of the wrong person

Did you actually read the post?

The e-ID server knows who it is providing a response about, as the request from the trusted app is signed with the key associated with that person.

That key is authenticated by logging into that application through the e-ID service.

Okay I can imagine it being similar to a yubikey, albeit one with a totally new protocol along the lines of what you described. But it occurs to me that people wanting to share their age credentials with friends or strangers wouldn't actually need to give up the keys to anyone. People could run rate-limited age verifier relay services using their legit keypairs without having to compromise their ownership of those keys, similar to the way some people are willing to run bittorrent clients today.

If we assume that anyone who puts in a little effort being able to bypass this elaborate system is not a problem because it's only meant to deter people who can't be bothered, I guess it only remains to design the Tor-like service over which this will run and make it resistant to traffic analysis.

Anyway, thank you for being patient with my questions.