I know age verification is stupid bullshit pushed on us by conservative morons who hate queer people...

But since those clowns are the ones writing the laws right now, would anyone be interested in building a service that looks like this:?

1. Authenticate with FIDO2 tokens.
2. Upload photo ID for manual verification into an isolated subsystem. (TODO: Figure out how to remove this step with help from local governments.)
3. After verification, issue privacy pass tokens (with Ristretto255) that other apps can consume/verify as proof of being 18+.

I'm not happy with the prospect of this being necessary, but being able to use cryptography to limit the blast radius of privacy violations is something I'd be interested in working on. I'm sure I can convince my peers in cryptography to help, too, if there's sufficient demand for it.

Let me be clear: I have done zero research on existing solutions in this space as I ask this.

I'm not in a hurry to reinvent the wheel if I don't have to.

I'm just curious if it's a thing other folks want to exist.

@soatok I voted null because I remain ambivalent about this. On the one hand if done properly it would be a great way of removing the burden from small site owners. On the other, this would only serve to normalize what many consider to be privacy invasive (myself included). Part of the argument against these sort of systems is that it places unnecessary strain on site operators (i mean, IDs are not just like an email address…). I’m afraid if you remove that it would make it harder to argue against these sort of laws.

@puppygirlhornypost2 Yeah, and part of the work here would be talking to the agencies that issue IDs and going

"Hey, issue better IDs that can issue zkPoK's on demand."

@soatok too much liability

@spud This isn't a project I'd undertake lightly, if I ever did it

@soatok @spud pornhub owns a lot of sister sites (youporn and some others i forget the list) and they’re pretty adamantly against it. problem for porn industry is not the cost it would take to do it properly, it’s the fact that they would get less views and paying customers. nobody wants to attach their ID to a porn site. My state has one of those stupid laws (Oklahoma) and pornhub displays a big message about it.

@puppygirlhornypost2 @spud This is why I'm suggesting PrivacyPass as a solution there.

Nobody would "attach their ID to a porn site". They would have an anonymous credential that just proves they're 18+.

@soatok why Ristretto255?

@fazalmajid Because I hate RSA.

@fazalmajid (Also, it's a thing other people have built before.)

@soatok I will never use service like this unless I'm forced to do that. I voted yes because other people may/will need that, and I want it to be done by crypto people rather than randoms.

@kaateeh Yeah, and the entire point of it is to use anonymous credentials, which keeps the porn site from ever learning who you are.

@soatok @spud Yes, I was just trying to express why they might be skeptical at first. There is always a worry that they will expand on this law later

@puppygirlhornypost2 @spud Yeah, they certainly will try. I hope they don't succeed.

@soatok if we start complying, we have already lost

@pup I dunno if you've paid attention to the news at all, but we've absolutely already lost.

@soatok

My concern would be it doesn't verify age - it verifies possession of an object.

If my kid steals my driver's license to buy beer - the seller can use the driver's license to confirm identity - or that the card doesn't match the user, and deny the transaction. If my kid steals my yubi and that's the only factor, bam. (If you *forced* PIN enablement maybe better, but that creates a barrier to adoption)

I'm not a fan of single-factor passkey usage of a yubi for the same reason. Without the memorized bit, it's too prone to physical threat.

I honestly think the entire concept of age verification has real issues. It's hard to implement because age is a crappy metric, and I hate to encourage politicians in making bad laws.

@tbortels

If my kid steals my yubi and that's the only factor, bam. (If you forced PIN enablement maybe better, but that creates a barrier to adoption)

I would force PINs. I might also enable TPM attestations so it can only be used on the devices you control.

@soatok I don't want it to exist, but if something has to exist, this at least seems not horrible.

@l_b_i Yeah, that's kind of how I feel too

@soatok when conservatives ask for age verification on certain sites, it's never really been because of their base level arguments. These are never made in good faith. I cannot help but feel that this would encourage more overreach into the decentralized Internet.

</opinion>

@soatok
not to bait you into going on a massive tangent but why?

@soatok I really would prefer something like this not be necessary at all, but if it has to exist I guess I’d rather know it was designed to protect privacy from the start. Being able to clearly explain how a user could be sure their identity isn’t being revealed (even by correlation with the issuer’s data) and a site operator can be confident in the age attestation provided by the tokens would probably be very important for something like this to be adopted.

However, you would also face a really big, non-technical barrier: the people¹ who most need to be convinced this technology is a valid alternative to uploading IDs to websites a) likely won’t understand how this works/proves a user’s age, and b) wouldn’t care even if they did because the point isn’t really to keep kids off the sites - it’s to shame us into conforming to their imposed moral standards and be able to identify/punish those who don’t.

¹ i.e. the politicians pushing these laws

@AVincentInSpace https://blog.trailofbits.com/2019/07/08/fuck-rsa/

@soatok IMO the trick would be to avoid systems abusing the tokens to fingerprint and dox users via their browsing habits. Worst case, google, amazon or facebook age gates something using those tokens and instantly maps the tokens to specific people and/or specific physical locations.

To preserve privacy the verification cannot be done in the age-gated system itself but instead by a trusted 3rd party that itself cannot retain what the tokens are being used to access.

@beeoproblem You should really learn about anonymous credentials.

@soatok bending over to their demands is an invitation to do more.

i am tired of constant surveillance into the internet. don't concede.

@soatok governments and companies already collect a shitton of data on you outside internet. let's not add to that.

@soatok
There is not a single system that can be designed to be effective. Private or otherwise. It is always possible to pass the age verification and then hand over the device to someone who shouldn't pass.

This whole issue with protecting kids is not about age verification nor is it about actually protecting kids. It is about bullying and discouraging people from accessing content that is deemed "obscene" by the powers that be. They hide behind the kids because that forces people to agree with the idea, because if you don't agree then apparently "you hate kids".

All these bright people in the comments are enthusiastic about designing systems for private age verification, but unfortunately it is moot because this whole idea was never about age verification in the first place. The lawmakers want a system that shames people.

@soatok @catsalad isn’t this what id.me does?

@twipped @catsalad https://furry.engineer/@soatok/114288417445590456

@soatok

On a technical level - seems reasonable.

On a people level - a $45 key plus a pin you have to use is a significant barrier to entry. I don't see it getting traction. Plus uploading a photo to strangers - just feels like a trap. A list of porn consumers with their mugshots waiting for a subpoena? Pass.

But - my future-prediction track record is spotty at best, and I *never* let practicality get in the way of a good hack.

@soatok

And I would *absolutely* use this for internal identity, assuming it was open sourced. At my prior workplace, we were doing zoom calls to match a face with records for MFA resets, for reasons. Some of the attackers are getting very sophisticated...

@tbortels @soatok

Note: Just because one uses a photo ID for identification does NOT mean that it must be stored in a database for future subpoena.

@JeffGrigg @soatok

Ah, but you have to take the implementer's word for that.

In the dotcom boom days (I ran an ISP), I lost count of how many folks were taking credit card orders online and just storing everything, including CVV, in a plaintext file, on a shared system, while calling their site "secure".

I know @soatok wouldn't do the moral equivalent of that, but a general distrust here is healthy - I wouldn't hand out my headshot for porn.

That's the beauty of "show your ID to buy booze" - you have reasonable assurance that the vendor's access to your credentials is ephemeral.

Dunno. I may be doing a bit of a chicken-little, I mean I put my face onto my mastodon account.

@JeffGrigg @tbortels Storage wasn't going to be a thing

@soatok got it. Yes, I’m fairly certain this is what id.me exists to be. I know it’s used by several california government sites to verify residency. I’ve not implemented it myself, however.

@catsalad

@twipped @catsalad Neat. I wasn't aware that such a real-world application of zero-knowledge proofs was in the hands of the government. Usually they're slow to adopt.

@twipped @catsalad Huh. I only see OAuth in their sample code and develper docs.

@soatok supposedly a (sounds like client-side) age verifier "go.cam" has been approved for uk osa; some details linked from here (the patreon link was not paywalled at this writing)
https://mstdn.party/@pandorablake/114241236040474044

highlights: source on github, "respects user privacy, with no identifying user data retained or transferred, no tracking cookies, and double anonymisation. " [whatever that last is]

@soatok I’m interested on technical level. I’m appalled that “think of the children” has led us to a situation where even the best technical solution would be easy to hack socially.

It’s just like my bank’s “verify calling agent via app” solution. Kinda neat technically, but I immediately thought of a way to mitm it.

@slotos I could probably staple privacypass onto id.me to vend anonymous proofs of being a certain age with minimal headache.

I just haven't decided on whether I want to commit my precious evenings on such an endeavor.

@Willow Sorry.