If my ID cryptographically attests something can’t the organization the issued the ID still match it to me?
Wouldn’t it be enough for some smart kid to get the ID of their grandma and post it on 4chan so that all the other kids can use it? How would you detect leaked certs?
For the first part of the question: I have to think/find a specific protocol to verify my intuition…
For the second part of the question: no that is not possible. Cryptographic material is stored in a Smartcard/secure platform module which (in simple terms) means the key material can’t be extracted. So you always have to be physically in possession of the ID card/device with digital wallet in order to use it.
Further you have to know a PIN or be able to present some biometric features to
So yeah a smart kid can nick their grannies ID, find out her PIN or socially engineer her into providing biometric features. But it would only be valid for that one attestation.
In a proper zero knowledge proof situation, where you auth it locally, no one knows you accessed the site but the site (who knows your IP) and they don’t know who you are based on the proof. Doing it all locally is the best way to do it.
In a less ideal set up, where the Auth is split between you and the identity provider, the identity provider would learn how many people are accessing the site, but not who. (Edit: they could also learn that you requested an auth, but not for where, depending on how it’s set up)
We have the technology to do it if we wanted to.
Edit: and it really only works with biometrics since pins can be shared.
In Spain you have the cert on an chip embedded in the ID card as you describe but you can also request a downloadable p12 cert that you import in your browser. Most people use the p12 certs because they don’t require any additional hardware. From what I read Spanish government proposed solution based on anonymous certs that would only attest your age but wouldn’t have any personal information.
On the other side we have the “mandatory ID card” solution which means additional hardware requirement, and, correct me if I’m wrong, it would only work on desktop, right? Do you have ID card readers that work with phones?
Oh I see! Yeah the p12 cert solution would obviously be vulnerable to the “grandma attack”
But it seems weird, because all of us in the EU should have to implement the eIDAS directive right, and our implementation of an eID here in Germany at least is an NFC interface on our national identity cards.
So any phone with NFC can be the reader.
If I wanna do my taxes, I touch my ID to my phone, enter my PIN and get logged in.
Granted…that’s still a pretty fucked up “auth flow” for when I wanna watch porn 😅
Ok, after checking the Spanish ID also supports NFC, I just never saw NFC readers for them. I think using NFC on your phone/PC to confirm you age by swiping a physical DNI card would work for convenience but I’m still not convinced about security. If you just have to verify your reddit/google/porhub account once kids would just give some 18 year old friend 10 Euros for a single ID swipe. If the entire operation is fully anonymous (you don’t know which ID was used) there would be no way to detect this. You would get dozens if not hundreds of accounts verified by the same ID. You would be able to simply setup bunch of age verified Google accounts and sell them online. If you make it possible to track which ID verified given account you will lose anonymity. I don’t see a way around it.
If my ID cryptographically attests something can’t the organization the issued the ID still match it to me?
Wouldn’t it be enough for some smart kid to get the ID of their grandma and post it on 4chan so that all the other kids can use it? How would you detect leaked certs?
For the first part of the question: I have to think/find a specific protocol to verify my intuition…
For the second part of the question: no that is not possible. Cryptographic material is stored in a Smartcard/secure platform module which (in simple terms) means the key material can’t be extracted. So you always have to be physically in possession of the ID card/device with digital wallet in order to use it. Further you have to know a PIN or be able to present some biometric features to
So yeah a smart kid can nick their grannies ID, find out her PIN or socially engineer her into providing biometric features. But it would only be valid for that one attestation.
In a proper zero knowledge proof situation, where you auth it locally, no one knows you accessed the site but the site (who knows your IP) and they don’t know who you are based on the proof. Doing it all locally is the best way to do it.
In a less ideal set up, where the Auth is split between you and the identity provider, the identity provider would learn how many people are accessing the site, but not who. (Edit: they could also learn that you requested an auth, but not for where, depending on how it’s set up)
We have the technology to do it if we wanted to.
Edit: and it really only works with biometrics since pins can be shared.
In Spain you have the cert on an chip embedded in the ID card as you describe but you can also request a downloadable p12 cert that you import in your browser. Most people use the p12 certs because they don’t require any additional hardware. From what I read Spanish government proposed solution based on anonymous certs that would only attest your age but wouldn’t have any personal information.
On the other side we have the “mandatory ID card” solution which means additional hardware requirement, and, correct me if I’m wrong, it would only work on desktop, right? Do you have ID card readers that work with phones?
Oh I see! Yeah the p12 cert solution would obviously be vulnerable to the “grandma attack”
But it seems weird, because all of us in the EU should have to implement the eIDAS directive right, and our implementation of an eID here in Germany at least is an NFC interface on our national identity cards. So any phone with NFC can be the reader.
If I wanna do my taxes, I touch my ID to my phone, enter my PIN and get logged in.
Granted…that’s still a pretty fucked up “auth flow” for when I wanna watch porn 😅
Ok, after checking the Spanish ID also supports NFC, I just never saw NFC readers for them. I think using NFC on your phone/PC to confirm you age by swiping a physical DNI card would work for convenience but I’m still not convinced about security. If you just have to verify your reddit/google/porhub account once kids would just give some 18 year old friend 10 Euros for a single ID swipe. If the entire operation is fully anonymous (you don’t know which ID was used) there would be no way to detect this. You would get dozens if not hundreds of accounts verified by the same ID. You would be able to simply setup bunch of age verified Google accounts and sell them online. If you make it possible to track which ID verified given account you will lose anonymity. I don’t see a way around it.
You can hook a smart card up to a phone, might need an adapter but it works on Android