(no title)

I'm curious about the 'day after' scenario: what's the move if the state decides to regulate these into "illegality" because they bypass official channels? We have to remember that the devices aren't the problem... the real hurdle is the bureaucratic gatekeeping of communication. The problem are people, not devices.

Finally, the year of IPFS. Government messing too much with the internet will end up pushing people to use more "dangerous" internets that are completely unregulated and that is surely the opposite of the the stated purpose to protect young people.

There are (to make up a number) ten desirable properties of the modern internet, and so far it's "Pick two", but novel combinations of the things you mentioned offer "Pick three" or possibly "Pick four" if adoption picks up.

For text, phone, and even image communication in urban and suburban areas, it sounds like there's real promise here. But we're not going to achieve parity with a global fiber + datacenter network by any means.

You don't need all ten to, say, organize a revolt.

It's not other operating systems fault that they failed to invest into security. They should try and catch up instead of blaming people for not trusting their security on "regulatory capture".

It's not zero knowledge for me then. Also - if there is ANY possibility to track anyone. And/or centrally mark someone "nonverified" then it makes more problems than solves.

Even if I trust my govt (no way), even if it'd be fully ZK with no way to track anyone… still govt would have a way to just block some individual "because".

And the best part… Age verification will not solve "children problem". I think it's parents problem to take care of their children, AV will be pretty easy to bypass - kid will just borrow ID for a moment and… voila! Govts (or some people) are creating problem and solution that do not exists.

I do not like way internet went, I do not like more way it's headed now.

The "open source" apps connect to proprietary backends run by a third party that you have to blindly trust. If EUDI wallets were truly open source and free from blindly trusting any authority, then you could simply remove that requirement and issue your own tokens without the use of potentially malicious third party.

I can use my banking services through the web. Codifying the Google/Apple monopoly in law is gross.

That is not zero knowledge. Given that actual zero-knowledge systems are well understood, the only reason to deploy a system that allows that would be if you planned to abuse it.

> jailbreaking / "prevent tampering"

> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

This is unacceptable. So much talk about independence from the US, you simply cannot make it a hard requirement to use the duopoly to be a citizen (as if it wasn't a quasi-hard requirement already)!

You're mistaken. SD-JWT with linkable ECDSA signature is the main mechanism. An unlinkable signature scheme is being discussed on the fringes of the EUDI-project (whether it be BBS+ or Longfellow) and very bare-bones support for Longfellow has been added to the reference wallet a month ago. However the Implementing Acts have no support for such a mechanism yet, and most member states will only implement ECDSA based mechanisms (SD-JWT and ISO 18013) for the foreseeable future.

It's therefore very likely the EUDI wallet and/or a age verification solutions will launch with issuer linkable ("easily trackable") signatures.

See also this thread: https://news.ycombinator.com/item?id=45363275

Most banking apps run on GrapheneOS, will this? Nearly all EU banking websites run on Firefox on Linux, will this?

Why did you not quote the App Store/Google Play Services part, which is much worse?

> There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

I'm sure this will be as diligently carried out as GDPR enforcement. [0].

[0] https://noyb.eu/en/project/dpa/dpc-ireland

Now your EU government requires you to have an unmodified Google or Apple device to use any age restricted services. Cementing the US mobile OS duopoly and locking out any free systems and desktop etc. forever.

Any governmental service taking part in this is a violation of civil rights and even if you don't care about those, maybe you care about digital sovereignty.

This is so lightly handwaved away, almost as if attention needs to be drawn away. By the looks of this I'd say the end of general computing might be the actual goal, and all the age verification is just yet another "think of the children" pretense?

Except the state is not a bank, of which there are many. The state is not optional, and trusting an American company with, of all things, the digital precondition for social existence, is suicidal.

If the "18+ claim" can't be linked to your identity and doesn't have any rate limits, someone can set up a token-as-a-service to sell tokens on the black market.

> Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

> Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

How does the math say no? Big tech companies already log absolutely everything. What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs?

> Can they lie? Sure.

Well, they've lied to us over and over when it comes to surveillance, so I think at this point it's reasonable to assume they're lying unless it's technically impossible. Where's the in-person key verification that used to be in Whatsapp? How do the authorities get notified when someone makes a poorly thought out joke using Snapchat private messages before getting on a plane? Why is there a war on end-to-end encryption?

We're going to pay a fortune for these supposed zero knowledge systems and that's what it's about. Select companies are going to get paid to issue tokens and the scale is going to create a few new billionaires.

The people in charge are going to gain a ton of power when they betray everyone and disenfranchise us.

You've already lost. You're at the government's mercy. They can simply refuse to sign.

"Mr. John Smith, we noticed you've published some poorly-worded comments online. Why are you locked out of your account, you say? Oh, that's just an unfortunate technical issue with our signing system, happens all the time. Anyway, this is a friendly reminder for you to improve your online etiquette. Have a nice day."

That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project.

So someone's id leaks. It happens. In EUDI there are things called "cryptographic accumulators of non-revocation proofs". If your ID leaks it goes into the accumulator. Similar to the certificate revocation lists. During check, you include claims "im over 18" and "my id is not in the accumulator".

This is included in the standard.

This is also (I can only assume) one of the reasons why EUDI wallets require play integrity / attestation / secure element on the device. So your private key won't be easily leaked and no one can steal your ID.

https://www.forbes.com/sites/federicoguerrini/2025/08/10/who...