[iso1210]

Imagine you are visiting hacker news, and for some reason you have to prove your age, but you don't want HN to know who you are, nor your age identity site to know you're going to HN

One way to do this off the top mf my head would be

HN issues a unique number (say 4096 bit) to you when you create an account

You send that number to your identity provider along with confirming proof of age

The identity provider signs that the number is valid and posts it to a public source

HN downloads a list of 4096 bit numbers posted in the last 5 minutes and confirms the one associated with your account is on the list

HN will know that "Identities-r-us.com" has proven your age, but nothing else

IRU know you had to age approve a site, but there are many sites downloading the lists so they don't know which one

[AlexCoventry]

You can do even better than that. IRU could proxy your TLS connection to the identity provider, and you could prove to IRU in zero knowledge that the decrypted transcript verifies that your age is over some threshold, without IRU ever seeing your age, and without the provider having to run a signature service. Then IRU is the one who signs the attestation on your age.

https://eprint.iacr.org/2020/934.pdf

[sva_]

But this way ppl could falsely verify their age by using a shared identity, unless the identity provider saves the identity (and shares it with other such providers)?

[WinterMount223]

That sounds better if you don’t trust the websites but worse if you don’t trust the government or the central checker.

[iso1210]

The central checker knows you've proven your age, but not where you've proven it.

As someone else points out, you send a message to your ID provider 17 requesting the minimum required fields and an anonymous token provided by HN, the ID Provider returns that (over18=yes, token=1234567....) which is signed, you then send the returned payload to the server you're asking, saying "I used Identity provider", and HN (assuming it trusts your ID provider) can confirm that.

HN knows the IP you're connecting from and the identify provider (say the Austrailian government)

The Austrailian government doesn't know where you're connecting to, just that you are trying to prove you are over 18. The unique random number HN provides confirms it's not someone else's token, but it doesn't link to HN

I assume there's a proper standard which does this

[int_19h]

How does the identity provider know that the proof of age provided is really for the person to whom the unique number was issued?

[amelius]

Why not let the user download the signed proof-of-age, and post it back to HN?

[iso1210]

Why not indeed