Comment by ekr____
3 days ago
In this case the ZKPs are tied to a private key stored in a secure element in the phone, so effectively they are tied to control of the device where the original credential was enrolled.
3 days ago
In this case the ZKPs are tied to a private key stored in a secure element in the phone, so effectively they are tied to control of the device where the original credential was enrolled.
That's nice and all for the cryptography but now think about what's needed to associate it with the physical attribute (such as the age) of the user of the device which may or may not change hands over time.
I'm not quite sure what you're getting at here.
The Google system is tied to a mobile driver's license, and there is an identity check at enrollment that is intended to tie the credential to the device. It's true that if you give someone access to your phone without erasing it, then they can potentially use this mechanism to circumvent age assurance. This is true for a number of other age assurance mechanisms (e.g., credit card-based validation).
In any case, I'm not really interested in getting into an argument with you about the level of assurance provided by this system and whether it's "trivial to abuse" or not. I was merely describing the way the system worked in case people were interested.
The suitability of the remedy (ZKP) for the purpose of age assurance is the entire problem. The non-cryptographic aspects cannot be handwaved away as something not worth discussing when they're the primary area of concern here.
You're arguing with something I'm not saying. I didn't handwave anything away or say it wasn't worth discussing. I simply described how the system was designed.
But they must allow some kind of proxy signing so that you can sign in from other devices besides the phone. So how do you protect against misuse of that feature without logging any identifiers?