This doesn’t stop the scheme the parent proposes, where adults install some proxy on their device and challenges are responded to on the parent device. Then the private key never leaves the parent device and all the child device has is the proxy software, which could be set up to not log any identifier of the key that it used
I agree, but this is also clearly a increased barrier. Going back to OPs comment that perfection is impossible, the goal is to raise the bar, I would say that this is more than good enough.
> but this is also clearly a increased barrier.
If there's a simple piece of software that can be installed, it's not meaningfully increasing the barrier. Also, there are negative consequences to introducing "rules that you're expected to break" like this. It makes the law unserious.
If it costs money that is definitely a barrier for a child. And apps can be as well, as a parent its easier to control what apps is installed than webpages visited.
Advertisers. Naturally someone who feels excluded or unable to compete on cleaner markets will offer the portal for people who don't have a regular id and if the ads on those portals do best if they are for toys then those are the ads they will sell.
Sure, but the comment I am responding to is arguing that there is a way around pressures towards a traceable token, so you can prosecute the person sharing their credentials. This is not the case.
Sure, but then you're partnering with someone you probably don't know to take payment for doing something illegal, and that partner knows your device and where to send the money.
And if it's a phone app, it's not going to be on app stores and you already know the person giving you the app is a criminal.
So you're installing an untrustworthy app to risk criminal charges, and the customers of this scheme are kids who mostly don't have a lot of money.
You’re missing the point. If the tokens are truly anonymous then none of this matters. There’s no way to discover or prove where the tokens came from. It could be someone in another country with stolen IDs, which are now a goldmine for minting tokens and selling on the internet.
So the schemes inherently add some traceability, which makes the tokens no longer actually anonymous.
This is the back door used to make the tokens double as ID tokens.
I'm not missing the point, and if you'll think about my scheme for a bit you'll see that anonymity is maintained in normal circumstances even though there's incentive to protect your credentials. Let's go through scenarios:
1) You give a teenager your full credentials. Teenager is careless, as teenagers often are, and posts something revealing who he is. Cops have option to search teenager's phone, see who you are, and at least revoke the credentials.
2) You install a relay app on your phone, for money. Now you've installed an untrustworthy app from a criminal, who might hack you, or might be arrested and reveal details of your device and where they're sending your money.
Neither scenario happens because the age verification is traceable.
3) Your credentials get stolen, and used in a foreign country to implement a relay scheme.
This one, I admit, my scheme can't do anything about. But this means our teenager has to pay a foreign entity. Teenagers can also pay foreign porn sites directly, if porn is our concern.
On top of that, the age verification systems we've seen so far have their own security holes that teenagers are exploiting without having to pay anything.
My personal view is that the whole thing is ridiculous and we shouldn't bother with any of this. My point is just that we can implement reasonably good age verification without eliminating anonymity on the internet.
Trusted computing fixes this up to the analog hole. Which is as much as you can expect.
Neuralink fixes the analog hole! Beam the ads directly to your cortex!
[flagged]
Trusted computing is the biggest threat to privacy and liberty of them all!
No, you can reliably attest public source builds of critical software for the ultimate in transparency. That even includes models running on GPUs. Combine that with blind tokens and you get trusted, anonymous identity verification.
What you also get is mobile devices that can't run unblessed code, make it impossible to remove legally-mandated spyware or backdoors, as well as websites that you can't use anonymously, even when you have very valid reasons to do so.
You also can’t build a house which violates building or electrical codes, or drive without a license. These are safety and security protocols and the digital realm now has them.
Mobile devices are secure and that’s why they’re not infected with malware, like any Windows machine. This is why Android is the host of 98% of all mobile malware and iPhone is not.
You have the freedom to make your own insecure devices which don’t have any trusted or secure elements. Go for it! Take your GNU and go wild.
That's just it - if remote attestation becomes commonplace, you can't make your own devices. No apps you need to live your life will work, no mainstream websites will let you visit them... Not to mention that once you get to hardware, "just build your own" login simply stops working.
The internet has plent, of security elements. Devices use TLS to communicate, are encrypted by disk encryption, users' messages/calls/data are encrypted with various protocols... This is already in place.
Building codes and such are laws, the government didn't go and change the laws of physics to make it impossible to build something not up to code. They also don't limit the same of materials and tools to only certified builders who they know will respect the code. You can still break the rules to some extent, or even follow them, just without external certification.
Remote attestation and related technologies change the laws of physics - not complying is simply not possible. You can't just make one little change and hope nobody bothers you about it, the system makes the change impossible, or it detects it and "burns the whole house down".
If your house isn't certified because you repaired a light fixture on your own, you can still invite friends over, you can receive mail and packages to it, you can get phone, internet and other utilities. If you want to change the color of the icons on your phone, or if you want to disable the pre-installed spyware, you're cut off from talking to your firends and family, from social networks, reading the news, you can't pay your taxes, can't get a bank account, can't get paid for your work or even apply for a job. That is the reality we're going towards.
The thing that changes isn't that your every action will be followed. That already happens. It's that you are powerless to avoid it. It's a technological lock to keep you obedient. There is no security element to it. We as an industry need to stop pretending like these are security technologies and start talking to more social sciences experts. Before it's too late...
The same way a lobotomy fixes a headache.
How so?
They are implying the use of trusted computing with proprietary software to ensure that only users on fully “trusted” (locked down) devices are allowed to access network resources.
Presumably, if you have a trusted application on a trusted device, the identifier was installed in a trusted way, the device is in trusted possession and the device won't be given to anyone else, trusted computing may be able, in certain cases, to make it more difficult for a remote minor to use the identifier.
> in certain cases, to make it more difficult for a remote minor to use the identifier
Just offer the user some money if he installs some "trusted" app for age verification token sharing.