(no title)

(a) an identity provider needs to verify who is using the browser. If that can be strongly tied, then the identify provider could simply provide the "adult: yes" flag, on a need to know basis, but:

(b) the site consuming that header needs to trust that it came from a reliable source. So that flag needs to be signed/verified somehow, and the consuming site needs to trust that the identity provider doesn't lie. But also, the site consuming the header, by law, needs to do everything in can to ensure that it's not a child, so, it will need to ensure that the content is served ONLY to the web browser, and it trusts the web browser. Which means ....

(c) The browser will confirm to the site that it's real, it's trusted, it is not operated by some kind of relay/bot and won't send the content to anything other than the operator authenticated to the browser. So it's going to start signing it's requests with a secret key, but that key will need to be on the user's machine, which will need to be trusted, so ....

(d) the signing will have to happen in the secure element, and the key will have to be stored on the machine that the operator cannot access. So some kind of TPM/Measured computing will have to be in place so all parties can trust that nothing was tampered with, or relayed to something else that was not authenticated.

All these things exist today. So the simple law mandating "A site has to ensure that sensitive content is never served to a minor using the strongest technical means available" means anonymous access, untrusted computers on the network will no longer be allowed to work.