top | item 43294704

(no title)

janci | 11 months ago

Our state-issued eID cards are supposed to have a function that allows anonymous age verification to a trusted party. It should work like this: a requesting party sends a request signed by state-issued certificate to the ID card, the card verifies the request authenticity and responds with a signed confirmation of legal age and that signature then can be verified by the requester.

No personal information is shared.

While I do not aggree with pervasive age restrictions, this is a nice technical solution to privacy preserving age verification

discuss

kallistisoft|11 months ago

There's an issue with the flow you described; the party requesting verification shouldn't directly interact with the verifying agent (the state) as this leaks to the state the identity of the requesting 3rd party.

The correct flow for preserving anonymity is: the requesting party issues a challenge token to the user -- the token header describes the type of request (>=18yo?) and the token body is completely random(). The user then takes this token and has the challenge verified (signed) on their side, the signed token is then returned to the requester.

This way the state never knows the identity of the challenge issuer.

() Note that this scheme requires good faith on the part of the challenge issuer that the token body is actually random, although it would seem that a simple DH-key mechanism would patch this vulnerability.

janci|11 months ago

I think it is a tradeoff between "everybody can request age verification" and "only state-licensed parties can request age verification". I don't think everybody's ID card should tell anyone if the holder is adult or not, especially wirelessly

hellojesus|11 months ago

What prevents the requesting party from saving the random bytes and then connecting with the signing party to link the user with the service?

Aloisius|11 months ago

> No personal information is shared.

You'd know the state they're a legal resident of as they use state-specific keys used for signatures.

If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.

If the one verifying has to pass data to the verifier site or the request to the verifier has any site/app/company-specific IDs (again, Apple), then you're leaking what you're visiting to the verifier.

And not to beat a dead horse, but as long as there are jurisdictions that don't require age verification in the world, children can easily use a free VPN or proxy to avoid checks altogether at which point, one has to ask, why do it at all?

Y_Y|11 months ago

> If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.

If you assume a sensible rate limit, that entering the check is voluntary (and unlikely to fail), and that people age monotonically, then it's going to require a lot of cooperation from the victim to get more than a couple of bits of entropy.

I wouldn't trust Apple here regardless, since they are not the state and have their own separate interests.

solidsnack9000|11 months ago

"...at which point, one has to ask, why do it at all?"

It seems like this line of thinking would lead you to ask the same question of literally any law, wouldn't it?

Laws often don't rely on being 100%. Even though there is a law saying people need to wear a seat belt, they can just not wear it! So what's the point, &c, &c?

drdaeman|11 months ago

Just curious: 1) which country/eID is this? and 2) does it send the date of birth back, or does it perform a zero-knowledge proof that the date of birth is greater or equal than a given value (current date minus age requirement)?

jer0me|11 months ago

A handful of states, including California, have a digital ID that can do this. It only sends the fact that you’re over a certain age.

There’s a video halfway down this page showing the process in Apple Wallet: https://learn.wallet.apple/id/ (notice “Age Over 21”)

archon810|11 months ago

The new laws, such as the one that just passed in Utah, require kids to get the consent of their parents to install apps. So now add that complexity to the flow.

https://apnews.com/article/utah-app-store-age-verification-7...

https://le.utah.gov/~2025/bills/static/SB0142.html

cogman10|11 months ago

Really comes down to "how sure do you want to be that the person is the right age"? Or the "how hard would it be for a preteen to buy beer?" test.

With an eID card, if it's just saying "yes, this person is old enough" then any teen can swipe a device with an eID card and start using it.

lll-o-lll|11 months ago

So it’s tied to biometrics/other 2nd factor as with passkeys. Wouldn’t stop mini-me of course…

rs186|11 months ago

So kids just memorize their parents' driving license when they don't pay attention, and this is bypassed, just like in the old days.

djsjajah|11 months ago

No. Kids would need to memorize the private key of their parents id card.

Jolter|11 months ago

I don’t think that’s how a state e-ID works.