Theoretical Private Age Confirmation -- Possible?
-
wrote on last edited by [email protected]
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
How does the website ask if someone's over 18 without knowing who they're asking about? The website would still need to confirm who's asking for access and then it's back to the whole ID situation to make sure kids aren't claiming to be their parents
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
I probably have the details wrong but this is basically what Pornhub was asking for in the US when individual states started restricting porn sites.
Regardless, I don't like the idea of a nanny state.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
I am never going to use an official government service to sign in to a porn site.
And I very much doubt that's just a "me" thing.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
Yes, such systems are in development and are called identity wallets. https://yivi.app/ for example has the idea of zero trust attribute sharing. You can request attributes the government knows and store these on your phone. You could then share an attribute like "over 18" with the porn site without the government knowing you shared it with them. Most identity wallets don't want to touch the porn industry tho. So it isn't used for that (yet).
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
It can be quite simple: the government, under user request, can generate a certificate that only contains the fact that you are more than 18 years old and is stored locally in your device. Since it's the state the one issuing it, the info of the cert can be trusted.
Then, when you log into a service requiring age verification, you log using your device that sends the info from your locally stored certificate, telling the website simply that you are not underage.
The state doesn't need to know how are you using the cert, and the website won't receive any personal info because the certification authority is a trusted organsation so the info about it is automatically trustworthy.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
Hello yes, I am 82 years old. My name is Joe Biden, feel free to check my age with the government.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
Totally possible and something you can do already with digital ID.
Checkout RealMe in New Zealand: https://www.govt.nz/browse/passports-citizenship-and-identity/proving-and-protecting-your-identity/use-realme-to-prove-your-identity-online/A big issue is that many countries are a decade behind in implementing this system. They’re effectively asking the liquor store to check customers are 18, without government ID existing. So now the private sector is creating ID solutions to avoid legal liability. It’s a real mess.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
wrote on last edited by [email protected]I think you'll need to generate a OTP type thing from a government site that's a message with a timestamp and maybe the code provided (and chosen by) the website signed by that site's private key, then have the 18+ website check that it's signed by the government.
Basically, the digital equivalent of your teacher giving you a letter/consent form to bring home for mummy to sign and then return to the school.
Possibly you could have a fingerprint that goes on it that only the government could recognise if the website hands it over to them (likely under court order) if you are concerned about fraud/people using other people's accounts.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
wrote on last edited by [email protected]The official service wouldn't know where the request is coming from
No, not doable.
Such an info service can only be either serious or not. Think about it.
If they try to do it the serious way, then the official source of information must know, and keep a log about, who is asking. And the user must get the opportunity to read this log, who has asked about them. Maybe they must even get the chance to approve or deny every single one of these requests.
If they don't try to do it the serious way, then their service will never be meaningful/sufficient in such countries where age verification is mandatory.
-
The official service wouldn't know where the request is coming from
No, not doable.
Such an info service can only be either serious or not. Think about it.
If they try to do it the serious way, then the official source of information must know, and keep a log about, who is asking. And the user must get the opportunity to read this log, who has asked about them. Maybe they must even get the chance to approve or deny every single one of these requests.
If they don't try to do it the serious way, then their service will never be meaningful/sufficient in such countries where age verification is mandatory.
Not sure. How about this (simplified):
- USER visits porn site
- PORN site encrypts random nonce + "is this user 18?" with GOV pubkey
- PORN forwards that to USER
- USER forwards that to GOV, together with something authenticating themselves (need to have GOV account)
- GOV knows user is requesting, but not what for
- GOV checks: is user 18?, concats answer with random nonce from PORN, hashes that with known algo, signs the entire thing with its private signing key
- GOV returns that to USER
- USER forwards that to PORN
- PORN is able to verify that whoever made the request to visit PORN is verified as older than 18 by singing key holder / GOV, by checking certificate chain, and gets freshness guarantee from random nonce
- but PORN does not know anything about the user
There's probably glaring issues with this, this is just from the top of my head to solve the problem of "GOV should know nothing".
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
I think that at the bare minumum, the PORN<->GOV connection must not occur. How about this (simplified):
- USER visits porn site
- PORN site encrypts random nonce + "is this user 18?" with GOV pubkey
- PORN forwards that to USER
- USER forwards that to GOV, together with something authenticating themselves (need to have GOV account)
- GOV knows user is requesting, but not what for
- GOV checks: is user 18?, concats answer with random nonce from PORN, hashes that with known algo, signs the entire thing with its private signing key
- GOV returns that to USER
- USER forwards that to PORN
- PORN is able to verify that whoever made the request to visit PORN is verified as older than 18 by singing key holder / GOV, by checking certificate chain, and gets freshness guarantee from random nonce
- but PORN does not know anything about the user
There's probably glaring issues with this, this is just from the top of my head to solve the problem of "GOV should know nothing".
-
I am never going to use an official government service to sign in to a porn site.
And I very much doubt that's just a "me" thing.
I didn't say "log in to porn via gob."
I was rather proposing a way to privately and securely confirm age without either party (gob. and adult site) knowing each other's info (i.e. porn site doesn't get your info, gob. site doesn't know you're seeking adult content)
And it isn't an idea limited to pornography-related websites, but rather any website that wishes to confirm any information about the user, without directly getting the user's info
It'd be essentially a temporary certificate of sorts that proves a requirement, such as "18+"
-
Hello yes, I am 82 years old. My name is Joe Biden, feel free to check my age with the government.
You'd have to authenticate yourself with the gob., therefore proving your real identity. The gob. would then, for example, provide proof of you being 18+, if that's what is relevant, without knowing what your use case is, and the website, without getting any further information about you, can then confirm you are indeed 18+ (gob. confirmed). Said confirmation would need to be temporary, to ensure fresh information (akin to 2FA TOTP, which changes after some time)
-
I think that at the bare minumum, the PORN<->GOV connection must not occur. How about this (simplified):
- USER visits porn site
- PORN site encrypts random nonce + "is this user 18?" with GOV pubkey
- PORN forwards that to USER
- USER forwards that to GOV, together with something authenticating themselves (need to have GOV account)
- GOV knows user is requesting, but not what for
- GOV checks: is user 18?, concats answer with random nonce from PORN, hashes that with known algo, signs the entire thing with its private signing key
- GOV returns that to USER
- USER forwards that to PORN
- PORN is able to verify that whoever made the request to visit PORN is verified as older than 18 by singing key holder / GOV, by checking certificate chain, and gets freshness guarantee from random nonce
- but PORN does not know anything about the user
There's probably glaring issues with this, this is just from the top of my head to solve the problem of "GOV should know nothing".
Hmm… sounds good, other than the amount of work getting and sending stuff everywhere. Though I guess if it were a one-time thing, that'd be fine. I'm used to no cookies and the cookies pop-up always coming back cuz the website never remembers, so my mind just went "too much work" but it could work if the website were to not prompt every time
-
I didn't say "log in to porn via gob."
I was rather proposing a way to privately and securely confirm age without either party (gob. and adult site) knowing each other's info (i.e. porn site doesn't get your info, gob. site doesn't know you're seeking adult content)
And it isn't an idea limited to pornography-related websites, but rather any website that wishes to confirm any information about the user, without directly getting the user's info
It'd be essentially a temporary certificate of sorts that proves a requirement, such as "18+"
wrote on last edited by [email protected]IMO, your suggestion assumes that today's government and tomorrow's government will have the same ideals and viewpoints on pornography, and not for 1-2 administrations, but indefinitely. Being able to reverse engineer someone via metadata is possible as is, and likely will become even more finetuned as we AI evolves.
As an American, there are plenty of examples under the current administration where data shared in confidence by undocumented immigrants are now being used to target them for deportation.
It's kind of like sharing data with a company indefinitely because of their current ToS, which is just a snapshot in time. Today's "helpful" approach towards data collection becomes a key part of surveillance in tomorrow's world.
-
Not sure. How about this (simplified):
- USER visits porn site
- PORN site encrypts random nonce + "is this user 18?" with GOV pubkey
- PORN forwards that to USER
- USER forwards that to GOV, together with something authenticating themselves (need to have GOV account)
- GOV knows user is requesting, but not what for
- GOV checks: is user 18?, concats answer with random nonce from PORN, hashes that with known algo, signs the entire thing with its private signing key
- GOV returns that to USER
- USER forwards that to PORN
- PORN is able to verify that whoever made the request to visit PORN is verified as older than 18 by singing key holder / GOV, by checking certificate chain, and gets freshness guarantee from random nonce
- but PORN does not know anything about the user
There's probably glaring issues with this, this is just from the top of my head to solve the problem of "GOV should know nothing".
What you want is cryptographic Zero-knowledge proofs, not regular encryption. See anonymous credentials protocols.
And it does require every verifying entity to trust the issuer (each user could collect attestations from multiple issuers, to prove different things to different verifiers)
Another issue is the risk of deanonymization by verifiers simply asking for more proof of many different properties, until you can be identified anyway
-
How does the website ask if someone's over 18 without knowing who they're asking about? The website would still need to confirm who's asking for access and then it's back to the whole ID situation to make sure kids aren't claiming to be their parents
You could tie it to requiring access to a digital ID (with password / PIN protection, etc), but yes kids could still "borrow" it
-
IMO, your suggestion assumes that today's government and tomorrow's government will have the same ideals and viewpoints on pornography, and not for 1-2 administrations, but indefinitely. Being able to reverse engineer someone via metadata is possible as is, and likely will become even more finetuned as we AI evolves.
As an American, there are plenty of examples under the current administration where data shared in confidence by undocumented immigrants are now being used to target them for deportation.
It's kind of like sharing data with a company indefinitely because of their current ToS, which is just a snapshot in time. Today's "helpful" approach towards data collection becomes a key part of surveillance in tomorrow's world.
Website: 18+?
Gob.: Yep
???The ideia is neither party is aware of the other's info. The website wouldn't have your data, and the gob. wouldn't know what the information is for.
Website knows, e.g. is the user 18+?, which the user agrees to share, but not anything else
Gob. knows, e.g. you wanted to confirm being 18+ (better if it just didn't know at all), but knows not what use you'll make for that
One side asks a yes or no question, the other gets a question (no source), answers it, the answer makes it back to the first side with no further info.
Unless they can know exactly who you are because you proved to be 18+ or something. Granted, if it were your names, for say a social media profile, that'd be different
-
Hmm… sounds good, other than the amount of work getting and sending stuff everywhere. Though I guess if it were a one-time thing, that'd be fine. I'm used to no cookies and the cookies pop-up always coming back cuz the website never remembers, so my mind just went "too much work" but it could work if the website were to not prompt every time
As long as your browser saves an auth token or something for GOV somewhere, all of that can happen without user interaction.