Comment by salawat
10 hours ago
That's exactly the opposite of anonymous. You cannot have anonymity & age verification that actually guarantees anything. It's a contradiction. Either the chain exists, or it doesn't.
10 hours ago
That's exactly the opposite of anonymous. You cannot have anonymity & age verification that actually guarantees anything. It's a contradiction. Either the chain exists, or it doesn't.
Are you saying it would be impossible to have a service where the site (social media, say) would issue some sort of random token and ask me to sign it using a centralized ID service. Then I log in to the centralized id service and use it to sign the random token and bring it back to the service.
The centralized service see who I am, but not what I'm proving my age for. The social media or other site see that I have signed their token so would have the appropriate age, but not who I am.
What's impossible about this?
The problem with that is if someone gets a hold of the logs from both the centralized service and the social media site they can compare timestamps and may be able to match them up.
Most people will be doing the whole process (site gives token, person gets token signed, person returns token) as quickly as possible which limits the candidates for a match. Worse, if the central service is compromised and wants to make it easier for log matching to identify people they could purposefully introduce delays which would make it easier to distinguish people.
Most people will use the same IP address through the verification process which would really make it easy.
Yes, timestamp comparison will be possible. I don't think there is a reasonable way around it? And authentication on to someone else is also unavoidable with reasonable privacy. I think a system with both of those drawbacks is still preferable to most other options.
1 reply →
Just let people freely register as many virtual ids as possible (and confirm with the real id). Then use that virtual ids to register in actual services.
This allows anonymity, security (no timestamps comparison), freedom of speech and expression (to have independent accounts not linked to the main virtual id).
This is no different from VPN providers. Maybe have the central authority keep no logs just like VPN companies. We already have government agencies that do that for instance the agency that handles text to speech phone calls for deaf people. Alternatively use a VPN to sign the token.