[Nursie]

> Any "verification" means unacceptable privacy violations.

So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?

In theory you can set up a system that works like this:

1. User goes to restricted site and sets up an account

2. Site forwards them on to a verification service with a request "IsOver18?"

3. User selects their bank from a dropdown on the broker site

4. Broker forwards them to the bank, with a request "IsOver18?"

5. User logs in and selects "Sure, prove I am over 18 to this request"

6. Bank sends a signed response to the broker "Yep"

7. Broker verifies and sends its own signed response to the site "Yep"

8. The site tags the account as "Over 18 Status verified"

In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.

[nightski]

Verification broker tracks sites which make requests and records it attached to personal data. Site either sells or leaks personal data along with history of all sites visited which require age verification.

Also your solution requires a bank account, not something everyone has. Many do, but not all. Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.

[Nursie]

> Verification broker tracks sites which make requests and records it attached to personal data.

How? What personal data?

The broker doesn't get anything other than "Site X wants to verify over 18, the user selected forward to Bank Y" and "Bank Y responds with TRUE"

> Also your solution requires a bank account, not something everyone has

True. Banks are only one example of an already trusted identity provider in this situation. But I get that there are gaps.

> Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.

Verification need only happen once per site, when setting up an account. This does introduce the possibility of a secondary market for approved accounts though, sure.

[tardedmeme]

User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge

[Nursie]

Restricted-site.com gets the signed response from the broker, not the bank. In your situation there's not any need for "everyoneisover18.com" to defer to a real bank for a faked response as it signs things itself.

But restricted-site.com doesn't trust everyoneisover18.com's key, it only trusts realbroker.com's key, so the response isn't accepted. If it is found to trust fake brokers like that it gets in trouble with the law.

[tardedmeme]

That's why everyoneisover18.com forwards the request to my bank or my broker and gets my signature on the behalf of literally anyone. I may charge them $5 for this service.

[Nursie]

> That's why everyoneisover18.com forwards the request to my bank or my broker

Doesn't work. The response won't be signed by real-broker.com.

The permission request/response itself goes direct from the server at restricted-site.com to the server at real-broker.com over TLS, so you can't MITM it, it's not controlled by the client and you won't be able to just pass out a cached response.

Your malicious client plugin could potentially forward the client session details to you, so you could operate the broker page, then log in to your bank's portal and approve that request, but I don't think that's going to scale very well and I imagine your bank is likely going to rate limit you.

[tardedmeme]

real-broker opens a web page allowing them to verify somehow. The browser extension sends me their URL and cookies so I can load the same page and verify myself. All automated of course.

[Nursie]

You could, you could also go to their house and go through the process for them, but in either case I don't think it's going to scale very well (rate-limiting would seem to be called for, maybe with 2FA as well, to mitigate this sort of thing and remove the possibilities for automation).

But sure, you could subvert it on a small scale, just as you can borrow someone else's driving license to register in 'normal' systems already. You could also register an account, validate it and then sell the login details, regardless of what proof of age scheme you use.

The point is the scheme is no worse at validation than asking for ID and it protects user privacy by keeping all ID details away from individual websites, which is the more important part IMHO.