[zyx321]

OR:

The website sends a request for age verification.

The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.

The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`

[1] https://github.com/Governikus/AusweisApp

[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD

[fc417fc802]

What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?

[zyx321]

To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.

[palata]

It's probably even simpler than that: say normal users make a few requests once in a while (because they don't need thousands of tokens every day), and one user makes a ton of requests, then it is an indication that this user may be abusing the system.

It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.

As always: it's easy to criticise, harder to actually get it right.