←back to thread

US Supreme Court Upholds Texas Porn ID Law

(www.wired.com)

94 points mikece | 5 comments | 27 Jun 25 15:55 UTC | HN request time: 0s | source

Show context

ineptech ◴[27 Jun 25 16:56 UTC] No.44398335[source]▶

>>44397799 (OP) #

Would it not be reasonable and safe and private to implement age verification through login.gov? An Oauth implementation that knows your identity and age can produce a verifiable token that attests your age but not identity. The only way your identity would leak would be if both the porn site and the oauth retain the tokens (which they would both claim not to do else no one would use this), and the attacker gets access to both.

I know it's unlikely to happen because of America's (misguided IMO) extreme distaste for digital government ID, but it seems like the current solution (people uploading pictures of their driver's license to porn websites) is worse in every possible way.

replies(3): >>44398708 #>>44398763 #>>44399521 #

ahtihn ◴[27 Jun 25 17:37 UTC] No.44398708[source]▶

You need something like Verifiable Credentials to do this properly imo. You don't want something like OAuth because the login service knows which websites you're requesting the login from.

replies(2): >>44398853 #>>44398881 #

1. stvltvs ◴[27 Jun 25 18:01 UTC] No.44398881[source]▶

Whatever technical solution is implemented needs to:

1. Not inform the authentication provider about which websites you're visiting.

2. Not inform the websites about your meat space identity.

replies(2): >>44399017 #>>44399512 #

2. ineptech ◴[27 Jun 25 18:19 UTC] No.44399017[source]▶

>>44398881 (TP) #

Unless I'm missing something, what I'm describing satisfies both of these (unless one or both parties are malicious).

replies(1): >>44399443 #

3. Nevermark ◴[27 Jun 25 19:14 UTC] No.44399443[source]▶

> (unless one or both parties are malicious)

It should be assumed (for the purpose of evaluating if a system is actually secure) that they both are, and are working together.

Validation can be done cryptographically so that assertions (like age) can be verified by one party, and consumed by another party, without either of those parties being able to tie the combination together, even if they are actively cooperating.

4. tzs ◴[27 Jun 25 19:22 UTC] No.44399512[source]▶

>>44398881 (TP) #

Add

3. Not allow someone who gets both (1) a log of authentication provider transactions, including timestamps, who was being verified, and whatever output the provider generated, and (2) a log of the website's age checks including timestamps, website accounts, and whatever proof was provided to match them up to associate real IDs from the authentication provider with website account IDs.

To make this work I think any such system will need to be so widely used that there are hundreds or thousands of verifications happening every second at each authentication provider and typical users get verified many times a day, and there should probably be some random delays introduced by the user's computer.

Otherwise it could be too easy to unmask people by looking at verification timing. If you are trying to unmask a user who verified through provider P and P only did a verification for one person that day it is very likely that is the person you are trying to unmask.

replies(1): >>44399599 #

5. Tadpole9181 ◴[27 Jun 25 19:33 UTC] No.44399599[source]▶

At this point, I can't even imagine a return to normal governing, let alone good governing. Like imposing enormous fines for ISPs selling user traffic data for packet analysis, to sell name-associated web traffic data to any company or foreign power even when the user is behind a VPN.