@mttaggart I wrote about the cryptography needed to build a solution a while ago: https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/
The usability on top of the cryptography is a whole 'nother can of worms, though.
And even if you use good cryptography for privacy, if your endpoint leaks your credentials anyway, you still put users at risk.
Further, even if a good solution existed, the ways the laws and regulations that are being written about these verification requirements are often shitty on top of all that.
There's not an easy answer. But there should be.
@soatok I remember this post, and I remember bumping on this line:
We would need existing identity verification services (e.g., ID.me in the USA) to vend PrivacyPass tokens that can be redeemed on third party websites.
This is where I think a lot of privacy advocates are gonna get off the bus.
@mttaggart @soatok the thing I find interesting about id.me is that the reason it squicky me out is because its state *adjacent*, and its primary use case is for *members of the state* (military, though they do serve other communities).
The fact that it’s not my *state* verifying my *state service* is the weird part for me.
@mttaggart @soatok I'm sure you can cobble something together using noir - it's an awesome framework, and makes ZKPs so much nicer.
Create a circuit which has been peer-reviewed and is identified by its hash
Private input: any ID, must be rooted (signed) by a trusted third party
Public input: whatever you want to know about the ID, plus the root (public key) of the trusted third party
Proof: I have an ID with a signature verifiable by the public key and fits the requirements
@soatok @mttaggart I think Yivi actually made this? (Disclaimer: I know just enough crypto to know I have no idea if they got it right)
But meh, if the goal really was to protect children, age verification wouldn’t be on top of the list.
Taggart
Soatok Dreamseeker
Tindra
Linus Gasser
Richard