Comment by ulrikrasmussen
4 days ago
> the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".
This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL which is to receive a presentation of the age credential, and then the smartphone generates a unique presentation signed by a device bound key and sends it to that endpoint.
It is however true that in addition to the one bit of information saying age>18, what is also revealed is the public key of the identity provider. This will at least reveal the nationality of the credential holder and - in the case there are multiple issuers within a nation - may reveal even more information about their demography.
> This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL
The nit you look to be picking is "redirect" means "a web page directs your browser to go to another URL". That is an interpretation you could use, but I was using a broader one. In the EU case, it isn't the browser following the redirect, it's you. The "server" you are redirected to is a government-provided app on your phone that implements openid4vp. But the underlying principle is still the same - you are "redirected" to a third-party proof-of-age provider, who sends a reply signed by the provider.
To the OP: openid4vp is an example of a protocol that is about as private as you can get. It all works offline, so the government does not know what sites you have visited. And the age verifier has no idea who owns the phone. As you say, the connection between the phone and the person holding it is a weakness; junior could just borrow big brother's phone to prove his age.