> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.

It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.

You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults. You can have the issuing government in the loop signing one-time tokens to stop Adults-Georg from creating 10k 18+ attestations per day, but then the issuing government and the service providers have a timing side-channel they can use to correlate identities to service users. Is there some other scheme I'm missing that solves this dilemma?

> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.

That's the theory. How is it in practice?

In my opinion, it just means there is a single government database to hack to get copies of all IDs...

By the way have the "security experts" checking this app evaluated that part? Or they're just worried about the app users cheating?

The alternative would be to just not do anything and to remove liability from Meta et al. In the world we live in, where competing interests already spent tens of billions to bribe/lobby the EU, we have to be realistic about it.

This open source and transparent ZKP-based approach is extremely surprising to see, publishing a draft in advance and inviting the public to break it so it can be improved? Are you kidding me? What about the billions of private investment in all the companies that offer centralized ID checks like Persona, Socure, ID.me and more? Thats a growing billion dollar industry. They all counted on this as a future market opportunity that the EU just seem to have destroyed at least in the EU?

People fighting against this age id app might be paradoxically useful idiots for billion dollar investments and lobbying efforts. The demos is once again dragged into the trenches to fight a war they don't understand.

You are mixing things up, and EU abbreviations do not help.

Many countries in EU already have electronic identity documents and delegate authentication to mobile apps one way or another.

eID or mobile identity application operating over QR codes and used to log into websites and apps is a commodity here.

This has nothing to do with age verification.

> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.

No it isn't.

Literally that is not the scope document, and such a solution would not be permitted by the EU as compliant with the legislation.

The app isn't zero knowledge. A prototype workflow has been designed for a one way transfer to sites that is zero knowledge, but it doesn't actually deliver zero knowledge because it you have to verify your age with an external provider to get the credential (which is not zero knowledge), the app has to be secured with either Apple or Google's attestation services (which are not zero knowledge), and the site has to be able to check with the original external provider that the credential hasn't been revoked (which is in no way zero knowledge).