Comment by tenthirtyam

I would much prefer to see a ZK system that, by design, CANNOT reveal info neither to the website nor to the authority. e.g. in the new EU system, it is (afaik) conceivable that the ID authority could collude with social network providers, or with government or with police etc. That's not great IMO.

How about a system like Google Authenticator in which google knows nothing about which websites I'm logging into. Except, obviously, it'd have to be some kind of cryptographically signed response. e.g., website puts up a QR code (according to some standard) asking "is the user 18+", I scan with the phone, and the ID app, without accessing internet (like google authenticator) responds.

I suppose that might need a secure computing environment, so no rooted phone etc. But, of course, there's a simple workaround. Any adult can give their phone to a child. As long as that vulnerability is there, there's no such thing as a guarantee on the responses no matter what way you build it.