[edm0nd]

I think this is the correct way too.

Some of the age verification systems that use digital ids (mDLs) do the same thing but people freak out about how they work because I think they misunderstand the tech.

They system basically asks the mDL via an api call "is this user above the age of 18/21" and the app only responds with a yes or no. It doesn't pass the users fulls details over or anything like that.

[MattPalmer1086]

Do these systems prevent linkability or allow the use of pseudonyms?

As in, if I repeatedly ask for age verification to the same service, does it know:

1) the identity of the user making the request, and 2) whether repeated requests comes from the same user (even if they don't know who it is?)

[ndriscoll]

My non-expert understanding is that in the short term mDL is linkable to a cert serial, but those are supposed to be regularly rotated. So you might have 2) for a day or whatever the rotation period is. I think I've seen it asserted that it is possible to have a ZKP framework that doesn't require this, but I don't know how that might work.

The age verification bills in the US at least also make it illegal to record that information, sometimes with high penalties (e.g. my reading of Texas's is that it is up to $10k per retained record).

[MattPalmer1086]

Thanks. Didn't know it was illegal to record it in the US - or does that vary by State?

There's a bunch of ways to achieve this privately. The work of Jan Camenisch on Anonymous Credentials and other things was done quite a long time ago now. It's a well studied field.