this post was submitted on 26 Jul 2025
31 points (89.7% liked)
science
20546 readers
716 users here now
A community to post scientific articles, news, and civil discussion.
rule #1: be kind
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The solution is really, stunningly simple:
Your gov issues official documents about you (driving license, passport, id cards...). They know your age.
Your gov is also a trustworthy institution since all those cited above are official documents that anyone, anywhere will accept as valid.
So here's the solution: the gov creates a digital certificate in which the only stored data is your age, or even less: your adult state (as a boolean; if over 18 = TRUE).
The gov issues the cert on demand to any person after presenting any valid ID to prove who you are (it can be done online, with only the id verification being done in person). The cert is bound to your device, and if you change phone, you must migrate it so you can't have it in two devices.
Since the issuer is a trusted authority, the cert can be used as a proof of age in any site needing it as the only thing they need is to read the cert and confirm the auth of the issuer.
And as the cert is only a boolean status saying if you are underage or adult, there is no privacy concerns as the one checking your age won't know anything else about you.
There, you just solved a "huge" problem in a simple way and with no privacy concerns.
Yeah that the obvious straightforward fix, but that's not the point. They want to have some online system that really tracks your ID checks and where you're checking it. :)
Shit. This is actually genius and really hard to simplify further. It also never will be implemented this way by my government.
I don’t know about the UK and the US. But Germany is in the middle of leaving the Fax era…30 years behind the rest of the world. I am right now waiting for a letter from my health insurance provider so I can use their app. It’s a week overdue.
Yeah I was overcomplicating things when a token approach maybe even generated with a card reader or through a gov platform is way more simple.
And would not be hard to implement now that I realise there are many solutions like that such as JWT, SSL, GPG, OTP, etc ...
You just glossed over why this is a hard technical problem in the first place - They also need to check the cert isn't revoked.
Otherwise, you can just hold onto a compromised cert, and reuse it.
Oh that makes sense an age certificate that only gov can generate. No ties to your identity whatsoever, still one could easily borrow someone else's. Maybe it could work like JWT or OTPs, go to gov platform generate it being only valid for a couple mins and paste it in the website.
Literally tied to your identity by the government
I was mentioning the token payload witch would be only the age or a boolean value.
the only way to borrow it is physically taking the phone, and even then, if the phone is locked, you need to unlock it. The cert by itself is bound to a device, if you give that device to someone else, that's on you. It's not a fault in the system but in the user.
Think of how 2fa apps work. They generally are locked under a code or biometrics, if someone else access to them, it's because you gave them access, so it's your responsibility.
Yeah . . . Now being devil's advocate faceID would prevent that.
But still if instead of bounding a cert to a device we went to a gov platform for a limited time token/OTP it would work too. It could be shared too but so could u ask ur brother to show up in the facescan before entering a website.
Yes, but then, to generate the code, the gov has to know who's asking for it. If the cert is locally stored in your phone, nobody can know who's asking for it.
At least here in Portugal we have a eletronic ID platform that provides some services that could be one of them.
What I was saying was going to that platform or app ( they have a app I think too ) grab a token generated for that website specifically and paste it.
Than the website would receive the token and given a key received by the gov to operate in the contry gets the playload and checks if the person is of age.