Well they could do it the right way where, for example, you go to your city hall to get a certificate of age where they check your ID.
Then some cryptography happens so you only enter a public key from that certificate on a website or OS to verify your age.
The website or OS doesn’t check your ID. City hall doesn’t know your browsing history.
But I’m not fooling myself, that’s not the point of such a law.
That’s not true. It’s simple if all you actually want is age verification.
You go in to the government building and show your ID. Seeing you are 18 or older you get to go to another room where they don’t check your ID, just give you a token saying the one holding it is over 18. Make the token like a FIDO key where you have a pin you set yourself.
There is an air gap between the validation and the token creation so there is no way to go from token to ID. You make the key use a pin so we consider it to be once usable by one person.
The issue is not about the technology. The issue is that we all know this has nothing to do with kids getting on porn sites.
You make the key use a pin so we consider it to be once usable by one person.
Now you have trusted the user not to provide the PIN to another, and the implementation is no longer correct. You’d at least need to use biometrics to tie the key to the person.
You are changing the goal. The point of this is to provide THE USER with a solution where they don’t have to give away their personal information to the Government or the 3rd Party site. We do not care about situations where users commit crimes as that means our focus is on the Government’s needs which they would already have met by just implementing a “Show us your ID” solution.
Now you could make the pin be a biometric so it’s physically connected to the user. But part of the solution needs to be that the token is not identifiable with the user. If I pull of my wrist band no one will know it was mine. If you throw out your token someone could go around testing everyone’s fingers and find out it was yours.
Without ensuring that the key issued to one person is not used by another, the key does not prove the age of the user, and isn’t that the whole point of the key?
It can be a shared token. For example a cryptographic hash. There are many solutions for the problem of certifying a token while giving no traceable data.
In most solutions there would be the traceability of knowing “User X went to site Y and site Z” but never knowing who “User X” is. There have been solutions proposed that create site specific hashes where it becomes more difficult if not impossible to track a user across different sites. So it just depends on if this issue needs to be resolved or not.
Personally I would be fine letting every porn site I use know I’ve been to every other porn site. If you wanted to go somewhere that you don’t want them to know, throw out your token and go get a new one.
Well they could do it the right way where, for example, you go to your city hall to get a certificate of age where they check your ID. Then some cryptography happens so you only enter a public key from that certificate on a website or OS to verify your age.
The website or OS doesn’t check your ID. City hall doesn’t know your browsing history.
But I’m not fooling myself, that’s not the point of such a law.
no implementation of personal ID for internet access will ever be “correct.”
That’s not true. It’s simple if all you actually want is age verification.
You go in to the government building and show your ID. Seeing you are 18 or older you get to go to another room where they don’t check your ID, just give you a token saying the one holding it is over 18. Make the token like a FIDO key where you have a pin you set yourself.
There is an air gap between the validation and the token creation so there is no way to go from token to ID. You make the key use a pin so we consider it to be once usable by one person.
The issue is not about the technology. The issue is that we all know this has nothing to do with kids getting on porn sites.
Now you have trusted the user not to provide the PIN to another, and the implementation is no longer correct. You’d at least need to use biometrics to tie the key to the person.
You are changing the goal. The point of this is to provide THE USER with a solution where they don’t have to give away their personal information to the Government or the 3rd Party site. We do not care about situations where users commit crimes as that means our focus is on the Government’s needs which they would already have met by just implementing a “Show us your ID” solution.
Now you could make the pin be a biometric so it’s physically connected to the user. But part of the solution needs to be that the token is not identifiable with the user. If I pull of my wrist band no one will know it was mine. If you throw out your token someone could go around testing everyone’s fingers and find out it was yours.
Without ensuring that the key issued to one person is not used by another, the key does not prove the age of the user, and isn’t that the whole point of the key?
Would these tokens be unique per website visit? Are they generated by the user or the government?
It can be a shared token. For example a cryptographic hash. There are many solutions for the problem of certifying a token while giving no traceable data.
In most solutions there would be the traceability of knowing “User X went to site Y and site Z” but never knowing who “User X” is. There have been solutions proposed that create site specific hashes where it becomes more difficult if not impossible to track a user across different sites. So it just depends on if this issue needs to be resolved or not.
Personally I would be fine letting every porn site I use know I’ve been to every other porn site. If you wanted to go somewhere that you don’t want them to know, throw out your token and go get a new one.
Exactly. Digital ID verification is in no way comparable to physical ID verification.
Never say never there is ALWAYS a way to do things right. But our government is too stupid to do it. So it might as well be impossible. Kek