alt Hacker NewsIn your system, can companies verify age offline, or do they need to send a token to the Government's authority to verify it (letting the Government identify and track users)?
Switzerland is working on a system that does the former, but if Government really wants to identify users, they can still ask the company to provide the age verification tokens they collected, since the Government hosts a centralized database that associates people with their issued tokens.
Replies
That assumes the companies store the individual tokens, as does the government. Neither of which are part of the design, but could be done if both sides desired it.
The Swiss design actually doesn't store the issued tokens centrally. It only stores a trust root centrally and then a verifier only checks the signature comes from that trust root (slightly simplified).
Aren't the companies also expected to do revocation checking, essentially creating a record of who identified where, with a fig leaf of "pseudonymity" (that is one database join away from being worthless)?