Okay, there is a nonce. Presumably it is negotiated somehow to prevent the Website from hiding any info in it. But then the question for the ID server is simply "Does a user who knows this nonce have access to a keypair indicating the right age range?" The user (i.e. the "trusted app" that is in their control) can then simply send that question off to Charlie or whoever and get the desired answer to relay to the Website without revealing to anyone any secrets of their own. The ID server has no way to know it was proving the age of the wrong person, the Website doesn't know who it actually got an age for, and neither can identify the actual user.
I think the people implementing these age verification schemes do want to try and defend against that sort of thing, because both the ones I've seen so far in reality (the one from Spain and some other thing a couple years ago that was closer to your idea) seem to have willingly sacrificed any semblance of privacy in their efforts to prevent it.
kbal /
npub10z…3qxfr
2025-04-25 00:47:47
in reply to nevent1q…lqh7
Author Public Key
npub10zcm054eh7z0ftv9sz40k7vspn8nw0tytsza9klfatkupr50j33q23qxfrPublished at
2025-04-25 00:47:47Event JSON
{
"id": "d7eea8ec1aee62337d20d67e0c0fc70ead8f7754515f8d72b5991afcb19cd6a6",
"pubkey": "78b1b7d2b9bf84f4ad8580aafb79900ccf373d645c05d2dbe9eaedc08e8f9462",
"created_at": 1745542067,
"kind": 1,
"tags": [
[
"p",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"e",
"a03dc6ee89f94af30a4a8bb6452cf421bdeb752e5777f5a7722f5accf49e6325",
"",
"reply",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"e",
"d99072ad035d12e610866fa77d7f4f6c4da3186aa16cab61a295f8bd8aa3c817",
"",
"root",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"p",
"78b1b7d2b9bf84f4ad8580aafb79900ccf373d645c05d2dbe9eaedc08e8f9462"
],
[
"proxy",
"https://fedia.io/m/privacy/p/2149890/-/reply/2580568",
"web"
],
[
"t",
"privacy"
],
[
"p",
"26166ccbbddaaba0dae7e70ecee553879a2bfff34ba920d3cf0ee456795a0183"
],
[
"proxy",
"https://fedia.io/m/privacy/p/2149890/-/reply/2580568",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fedia.io/m/privacy/p/2149890/-/reply/2580568",
"pink.momostr"
],
[
"-"
]
],
"content": "Okay, there is a nonce. Presumably it is negotiated somehow to prevent the Website from hiding any info in it. But then the question for the ID server is simply \"Does a user who knows this nonce have access to a keypair indicating the right age range?\" The user (i.e. the \"trusted app\" that is in their control) can then simply send that question off to Charlie or whoever and get the desired answer to relay to the Website without revealing to anyone any secrets of their own. The ID server has no way to know it was proving the age of the wrong person, the Website doesn't know who it actually got an age for, and neither can identify the actual user.\r\n\r\nI think the people implementing these age verification schemes do want to try and defend against that sort of thing, because both the ones I've seen so far in reality (the one from Spain and some other thing a couple years ago that was closer to your idea) seem to have willingly sacrificed any semblance of privacy in their efforts to prevent it.",
"sig": "ef79326bf89e1a59effe34e35aaeb379ba60e35961108c652781f7bd5e7dc2b0818c5b17c9e7a74be285e63775ccbfbf01802825ac63e8c1624cf231e376834c"
}