Comment by dreadnip
3 months ago
I quite like the EU approach. It's a decent spec. Most countries already have digital apps to verify identity, like Denmark's MitID (https://www.mitid.dk/en-gb/get-started-with-mitid/). These could be expanded to fully EUDI compliant wallets and deliver encrypted proof-of-age without exposing any other identity.
For example a gambling site could require MitID auth, but only request proof-of-age and nothing else. You can see in the app which information is being requested, like with OAuth.
If there's no information provided beyond proof-of-age, what's stopping my friend's 18 year old brother from lending his ID to every 14 year old at school? IRL that's negated by the liquor store clerk looking at the kid who is obviously underage and seeing that his face doesn't match the borrowed card he just nervously presented.
> what's stopping my friend's 18 year old brother from lending his ID to every 14 year old at school?
MitID is 2fa. You log in with username, then you have to open the app, enter password or scan biometric, then scan the QR code of the screen* and you are logged in.
He would need to be next to you every time you log in. I think that is too high friction to make it feasible on large scale.
* Assuming you open the website on the Desktop, and MitID on phone. If both on phone, skip this step.
If people have to go through OS auth flow each time they open a website, that will drive everyone mad. One of the key motivators for politicians is not making everyone mad, so the polls don't drop.
Also, I reckon most children know the password for their parent's phone or computer, and many more will find out if there is a highly motivational factor for doing so. How many exhausted parents just toss their phone to their child to stop them whining?
I suppose it could be a biometric sign-in with facial recognition or fingerprint, but again, that's a tonne of friction for the whole web.
1 reply →
That's how the user interface works. What is it doing at the protocol level? What stops someone from building a service that mints anonymous verification codes on a massive scale and distributes them to anyone who asks? Maybe with the user interface being an app kids can download to scan any QR code and pass verification.
1 reply →
> He would need to be next to you every time you log in.
Or you can just text him a screenshot of the QR code. You could probably even automate this.
6 replies →
I don’t mean to be as aggressive as this sounds but the frogs probably liked the increasingly warm water too until it started boiling. How many steps between MitID and a fork that is used to enforce extreme censorship?
MitID is run by the government. How would anyone fork it? Any service implementing MitID auth can verify through signatures that they're connecting to the official service.
I don't want my kids to have access to gambling websites like Stake, but I also want to keep my digital identity anonymous. The eIDAS is a solution that achieves both of these goals.
If you can choose between the discord shitshow with a face scan, or a digital encrypted proof-of-age in a 2FA app you already use, issues and verified only by the government of your country (who have all your personal details anyway), what would you choose?
> During the 19th century, several experiments were performed to observe the reaction of frogs to slowly heated water. In 1869, while doing experiments searching for the location of the soul, German physiologist Friedrich Goltz demonstrated that a frog that has had its brain removed will remain in slowly heated water, but an intact frog attempted to escape the water when it reached 25 °C.
From wikipedia.
Having the government be the issuer and verifier of personal IDs is hardly a "boiling frog" situation anywhere in the world.
Everything is a slippery slope if you tilt & twist it enough...
This particular slope has consistently had people pratfalling over and over again for hundreds of years.
Gambling sites already have payment information, which should include real names! (no, you should not be allowed to do non-KYC gambling, that's just money laundering)
But how do you go from real name to age verification?
I think it's more that proof of identity from the union of {payment information, KYC} also includes both of age verification and name, not that name leads to age.
4 replies →