Can I get an explanation of what it actually does from someone who knows at least more than I do about cryptography, which is to say more than nothing? I still haven’t seen one anywhere. Do I really need to go find the source code and try to read it myself to figure it out?
In this case, it just means that the website is given a boolean indicating whether you are over 18 or not, without your real age being given.
In cryptography, a zero-knowledge proof (also known as a ZK proof or ZKP) is a protocol in which one party (the prover) can convince another party (the verifier) that some given statement is true, without conveying to the verifier any information beyond the mere fact of that statement’s truth.
I know what a zero-knowledge proof is and have read and understood a description of the well-known one relating to proof of age. That is not a sufficient explanation as to how it is applied in practice here — if indeed it is. I’ve seen it claimed elsewhere that it isn’t. But in any case it wouldn’t solve the whole problem of proving whose age it is that’s being established.
Edit to add: Upon preliminary investigation it seems like it uses OAuth in the protocol? But it is claimed that no identifying info is stored “in the app”. Does this mean that the OAuth client_id and any associated public keys are somehow kept secret from the attestation provider when you show it your passport to get the age attestation? Because otherwise it would be personally identifying info. If there’s no identifying info, is it therefore possible if you’re 12 years old to get an older kid to use their ID to get your phone age-attested and then there’s never any possibility it could be traced back to them? I just can’t make sense of it. It seems probable that the privacy claims are an illusion or a lie, but too many people seem to be swallowing them instantly and not noticing that taste.
I doubt it can be both private and secure. And don’t even get me started on workarounds. What if I verify more phones with my id? And sell them to minors, or example. It can get dark pretty quick.
Can I get an explanation of what it actually does from someone who knows at least more than I do about cryptography, which is to say more than nothing? I still haven’t seen one anywhere. Do I really need to go find the source code and try to read it myself to figure it out?
In this case, it just means that the website is given a boolean indicating whether you are over 18 or not, without your real age being given.
https://en.wikipedia.org/wiki/Zero-knowledge_proof
I know what a zero-knowledge proof is and have read and understood a description of the well-known one relating to proof of age. That is not a sufficient explanation as to how it is applied in practice here — if indeed it is. I’ve seen it claimed elsewhere that it isn’t. But in any case it wouldn’t solve the whole problem of proving whose age it is that’s being established.
Edit to add: Upon preliminary investigation it seems like it uses OAuth in the protocol? But it is claimed that no identifying info is stored “in the app”. Does this mean that the OAuth client_id and any associated public keys are somehow kept secret from the attestation provider when you show it your passport to get the age attestation? Because otherwise it would be personally identifying info. If there’s no identifying info, is it therefore possible if you’re 12 years old to get an older kid to use their ID to get your phone age-attested and then there’s never any possibility it could be traced back to them? I just can’t make sense of it. It seems probable that the privacy claims are an illusion or a lie, but too many people seem to be swallowing them instantly and not noticing that taste.
I doubt it can be both private and secure. And don’t even get me started on workarounds. What if I verify more phones with my id? And sell them to minors, or example. It can get dark pretty quick.