> EU's planned system requires highly invasive age verification

EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification".

We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.

You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document.

No face scanning, no driver license uploading to god-knows-where, no anything.

> to obtain 30 single use, easily trackable tokens that expire after 3 months

This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work.

> jailbreaking / "prevent tampering"

This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

> You have to blindly trust that the tokens will not be tracked

This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.

Also we can't have a meaningful discussion without expanding on definition of "tracking".

Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here.

Can the government track you? No, not alone.

Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

Can they lie? Sure.

Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

Can they lie if you are using bbs+? Math says no.

Thanks for posting this.

The inherent problem with all zero knowledge identity solutions is that they also prevent any of the safeguards that governments want for ID checking.

A true zero knowledge ID check with blind signatures wouldn't work because it would only take a single leaked ID for everyone to authenticate their accounts with the same leaked ID. So the providers start putting in restrictions and logging and other features that defeat the zero knowledge part that everyone thought they were getting.

Link?