← Back to context

Comment by rstuart4133

4 days ago

> This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL

The nit you look to be picking is "redirect" means "a web page directs your browser to go to another URL". That is an interpretation you could use, but I was using a broader one. In the EU case, it isn't the browser following the redirect, it's you. The "server" you are redirected to is a government-provided app on your phone that implements openid4vp. But the underlying principle is still the same - you are "redirected" to a third-party proof-of-age provider, who sends a reply signed by the provider.

To the OP: openid4vp is an example of a protocol that is about as private as you can get. It all works offline, so the government does not know what sites you have visited. And the age verifier has no idea who owns the phone. As you say, the connection between the phone and the person holding it is a weakness; junior could just borrow big brother's phone to prove his age.