[tomjen3]

Anonymous verification of age is a nice one: Site a generates a bit of bytes, you then take that to a government portal, login and get it signed, then you return with the signature and now the site knows nothing whatsoever about you, other than that you could get a government site to assert that you are old enough to order beer online.

The government site doesn't have to know anything about you either, other than you requested a beer token.

[Alupis]

> The government site doesn't have to know anything about you either, other than you requested a beer token.

That's the 7th beer token you've requested this week, citizen. For your own good, we've denied your request.

[brabel]

That's not how it works. You would just request a VC that states personal information about you from the government, including age (like an ID card which most countries have)... then, when you're required to prove you're a certain age, you can create a presentation object which only contains your age, nothing else. You can present that as many times as you want without the government knowing you did that (unless the receiver of the presentation decides it wants to inform the government about that! In which case there's nothing technology can do to help).

[askldfjaliwejf]

It very much can be.

Gov might require that on each sale, company re-verify identity (just like they demand you check ID on each sale).

That results in a network request to `proof.verificationMethod` on each sale, which contain a URL to the age verification for that one user.

Done. Gov now have records on how many times you bought beer. They might also request that the number/description of items be included on the verification request. but that is not necessary since credit cards are already being replaced with central bank issued payment systems (see india, brazil, etc)

[brabel]

No, the system just isn't designed like that, the whole point of VCs is that the system becomes decentralized. To check a credential is valid you absolutely don't need to hit the Government, you need to trust its public key, which you can easily get once (or keep updating using things like DID)... you are arguing about a different system design that just doesn't exist and has no reason to exist.

[0x6c6f6c]

> the whole point of VCs is that the system becomes decentralized.

You say decentralized, yet that Verifiable Data Registry seems like a central component to checking whether you are you. How is that not able to see that you checked your ID?

[brabel]

That's not a centralized registry. In fact, it's usually a distributed ledger, normally a blockchain but any distributed database of public keys and IDs will do.

Also, the ID in the VC is not something that can easily be used to identify you. It may be in basic implementations, but it shouldn't. The W3C spec recommends using DID[1]... A DID is a random ID, basically, which is stored in the "distributed ledger" where others can find your current keys and other metadata (none of which containing personal data)... you can have as many DIDs as you want, e.g. one for each usage you make of your VCs, making it impossible to track you around... you should look at the W3C spec if you really want to understand how DIDs and VCs are supposed to work, the Auth0 website is a much lighter , pre-digested and somewhat more centralized version of things that make it much easier to get started (Which is a great thing, but hopefully you shouldn't judge VCs from only what they're pushing).

[1] https://www.w3.org/TR/vc-data-model/#dfn-decentralized-ident...

[worthless-trash]

Its funny you mention this, this -exact- thing happened with one of the delivery companies in australia.