logoalt Hacker News

rstuart4133today at 7:49 AM1 replyview on HN

> But if they reveal nothing, isn't it wide open for abuse?

Good point, they do contain more information than "They are over 18". The primary (usually only) thing is who is attesting they are over 18. That might be the government, or a bank.

That's inevitable, because the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".

This can leak other information aside from the site knowing who is verifying your age. For example, done the wrong way, the Google / the government could know what porn sites you like. OAuth, for example leaks that sort of information. But there is no technical reason it has to be that way.

The major barrier to all this isn't whether it's possible to design a protocol that proves your age, having a driver's licence or even an amount in a bank account. It is absolutely possible. It's that to be useful, everyone has to agree on the same protocol. That has so far proved to be near insurmountable.


Replies

ulrikrasmussentoday at 11:46 AM

> the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".

This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL which is to receive a presentation of the age credential, and then the smartphone generates a unique presentation signed by a device bound key and sends it to that endpoint.

It is however true that in addition to the one bit of information saying age>18, what is also revealed is the public key of the identity provider. This will at least reveal the nationality of the credential holder and - in the case there are multiple issuers within a nation - may reveal even more information about their demography.