Age verification

Mon Dec 5 18:01:16 GMT 2016

I'm pretty sure someone years ago produced a card that could be used as face-to-face proof of over-18ness and nothing else. Sadly my google skills aren’t up to finding it but maybe others can. One (chip) end of the card was placed in a reader on the bar, other was held by the individual and checked their fingerprint. Reader lights up (probably red/green - since I'm colourblind that part wasn’t obvious) and you get, or don't, your drink.

"All" that was needed to complete that system was a trusted (by the pub) issuing process to ensure that only over-18s could link their fingerprint to a card with that process also being trusted (by the user) not to record/disclose identity.

Online there are a lot more challenges, most obviously that everyone has to have a reader, that that reader has to be trusted even in the hands of owners who would like to make it lie, etc. And with either type of system you have to know in advance what question you want to ask, and ensure that "I forgot the card" gives the right answer. But I suspect the technology is the easy bit...

Andrew

> -----Original Message-----
> From: ukcrypto [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On
> Behalf Of Graham Cobb
> Sent: 02 December 2016 14:37
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Age verification
> 
> Age verification is back in the news again due to the DE Bill.  I have
> wondered for a while whether crypto could allow us to create some sort
> of double-blind age verification system: where the identity (name, date
> of birth, etc) of the person is hidden from the entity needing
> verification, and the identity of the resource being accessed is hidden
> from the entity providing verification.  Ideally, of course, it would be
> triple blind: third parties such as law enforcement cannot find out what
> resource was accessed by what person, at least not after the fact (maybe
> they could with prior notification that a particular person or a
> particular resource was to be monitored).
> 
> I had in mind something like:
> 
> 1. Assume that some entities exist who can provide acceptable age
> verification (I will use a bank as an example below but it could be any
> private or state entity).
> 
> 2. Bank verifies your age.
> 
> 3. You request them to sign a certificate stating that you are over a
> specific age (say 18).
> 
> 4. Bank provides the certificate to you.
> 
> 5. You pass the certificate to the entity needing the proof (say, a
> nightclub).
> 
> 6. Nightclub validates the certificate against the bank's public key
> (without needing to contact the bank).
> 
> The hard part would seem to be proving that the certificate relates to
> the actual person who is presenting it (to a practical level of
> certainty similar to traditional techniques), without allowing the
> nightclub to find out who that person is! I assume it would have to be
> based on some sort of temporary secret which you would have to present
> along with the certificate.
> 
> I am sure the naive approach above would not work for various reasons
> but I wonder what work has been done on this? It seems that proof of age
> for everything from creating social media accounts, to shopping, to
> drinking, to accessing porn, to ... is becoming more common and it is
> essential that we have some way of proving age without disclosing who we
> are, or what we want the proof for.
> 
> Graham