Theoretical Private Age Confirmation -- Possible?
-
The attributes are cryptographically signed by the provider. With their public key you can check if they are actually signed by them.
To verify the signature with the public key, don’t you need to contact the service/party that signed it?
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
wrote on last edited by [email protected]I might be missing something, but they could just mass validate 100 IDs in person, without logging anything, then mix/shuffle 100 "person is an adult" codes (or even multiple per person) that aren't directly connected to anyone and hand these out at random.
This way neither the government, nor the website knows your real ID and your age can still be verified.
Edit: Sure you can still somewhat be tracked by these codes, but this may be mitigated by handing out new or multiple codes and having them expire.
-
To verify the signature with the public key, don’t you need to contact the service/party that signed it?
Yeh, but it's public and normally has a decent validity, so you could fetch it once and then use it for years.
-
Yes, such systems are in development and are called identity wallets. https://yivi.app/ for example has the idea of zero trust attribute sharing. You can request attributes the government knows and store these on your phone. You could then share an attribute like "over 18" with the porn site without the government knowing you shared it with them. Most identity wallets don't want to touch the porn industry tho. So it isn't used for that (yet).
To add to this: The EU is developing this and it’s supposed to be available to all EU citizens at the end of 2026. From that time government services should also be able to accept it. (Not sure if they’re going to make it, the standards are still under active development).
It’s all based on OpenID Connect (OIDC). Everything is being developed in the open, as open source software. You can find the github project here.
If you want to take a look at the draft standards themselves, search for OpenID4VCI (standard for issuing of credentials to a wallet) and OpenID4VP (standard for presenting credentials to 3rd parties).
-
Yeh, but it's public and normally has a decent validity, so you could fetch it once and then use it for years.
But for the same signed attribute?
It seems like the signer would know which clients are attempting to verify authenticity?
-
But for the same signed attribute?
It seems like the signer would know which clients are attempting to verify authenticity?
If the signer (government in this case) is signing everyone's attribute with the same private key, then the public key will be able to verify all of them.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
wrote on last edited by [email protected]Having government confirm age of users is the beginning of having to use a real id to use the internet. Thats the wet dream of governments and big tech, but its a total nightmare for privacy and discussing things without your real name being known.
Just watch linkedin and see how discussions are extreamly limited there, since people dont want to discuss sensitive things in front of others using their real name.
-
Hello,
I was gonna post this on Ask Lemmy, but then I thought maybe Technology would be a better fit for the theme. But then I saw it's mostly news, so I thought perhaps Ask Lemmy would indeed be a better fit. If this is not the case, please point me to the right direction.
As a heads-up, I am not 'Murican, and never been to 'Murica, so keep that in mind.
Seeing the recent news with France trying to age-restrict pornographic material online, I was wondering and have sort of an idea, that I wonder if it is actually doable and actually good.
Hear me out: the gobermint likely already has your data, right? At least stuff like name, date of birth, etc. The gobirment could have a private and secure service, which websites and services could use to confirm certain requirements.
For instance: A website wants to confirm if you're over 18. The website essentially asks the official gob. service, "is this user at least 18 years of age?". The official gob. service essentially has to answer "yes, your requirements are met" or "no, your requirements are not met", without giving away information on a person. The user gets prompted, being told what information is being required and whether they wish to share that. The official service wouldn't know where the request is coming from, but the original website requesting the information generates and shows a temporary code, which is not related to the website at all and is sent to the gob. service, so that the user can confirm it is indeed the website they were using that is requesting this, and not a hijack of some kind. The gob. service, if allowed by the user, sends out this confirmation to the original website, without the gob. service knowing the website and without the website knowing the user's info. The website then knows whether their requirements are met and can then act accordingly, such as by not allowing someone to access adult material if they do not meet the age requirement.
Does this make sense? Is it doable? Could it be a potential private and secure way of confirming user information without either party having access to the other's information? Obviously, the idea could be worked on and polished, but as a starting point.
Edit: so, what I'm gathering from comments here:
- Som'o'y'all didn't get it (no, you don't got to log in to your porn tube of choice with an official gob. account)
- This cannot be done
- This could be done
- This is already a thing being worked on
The important thing, if I'm the government, is that this helps me round up and eliminate my political enemies, based on their online activity.
This can be done securely and privately to prevent this. I recommend this approach, to start.
Then after a few months, I can change the implementation to eliminate the privacy.
Then, when I'm ready, I can start blackmailing or arresting folks for their pornography preferences.
Or - if I'm feeling confident - I can keep it simple and just have my secret police throw folks out of third story windows anytime they post anything critical of my governing style.
Overall, if I want to abuse the Internet to hold onto my power using blackmail, terror and murder, online age verification is a great first step, for me.
Folks probably shouldn't elect me, but they may want to consider that I'm not the only one who knows how to do this.
-
The important thing, if I'm the government, is that this helps me round up and eliminate my political enemies, based on their online activity.
This can be done securely and privately to prevent this. I recommend this approach, to start.
Then after a few months, I can change the implementation to eliminate the privacy.
Then, when I'm ready, I can start blackmailing or arresting folks for their pornography preferences.
Or - if I'm feeling confident - I can keep it simple and just have my secret police throw folks out of third story windows anytime they post anything critical of my governing style.
Overall, if I want to abuse the Internet to hold onto my power using blackmail, terror and murder, online age verification is a great first step, for me.
Folks probably shouldn't elect me, but they may want to consider that I'm not the only one who knows how to do this.
Depends on how you implement it, innit? If the gob. gives you an official certicate confirming something, for instance, which you then save onto your machine and then upload to the website or service. What could the gob. do? Attach a string on the file to pull it back? Unless a file can call home somehow (assume a non-executable file, with info only). They could change how it works later on, and make it work in their favour maliciously, but they'd have to make quite the big change. Plus people might not have as big of a need later, maybe. Assuming it's a once-and-done thing.
-
Depends on how you implement it, innit? If the gob. gives you an official certicate confirming something, for instance, which you then save onto your machine and then upload to the website or service. What could the gob. do? Attach a string on the file to pull it back? Unless a file can call home somehow (assume a non-executable file, with info only). They could change how it works later on, and make it work in their favour maliciously, but they'd have to make quite the big change. Plus people might not have as big of a need later, maybe. Assuming it's a once-and-done thing.
wrote on last edited by [email protected]What could the gob. do?
I would provide an app to manage the certificate for you, since most people won't know how.
And I would regularly update the app to keep it current and secure. ( I might occasionally add features to make sure
I... You have the best experience. )And I would have some very discrete, anonymous and minimal telemetry - just to help me maintain the app.
If I happen to know how to pair that telemetry with other tracking data that I purchase form other sources...maybe I can engage in a tiny bit of strategic blackmail...and well...you shouldn't elect me.
