Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0
Actual Demo: https://app.hornpub.click
How it works:
1) Go to app.horpub.click
2) Create an ephemeral passkey
3) Extract its public-key and id (this binds the credential you're creating to your device)
4) The user copies this data to their bank's Age-Verification-Section
5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key
6) The user copies this back to app.hornpub.click
7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.
8) The user's age has been verified by their bank without the bank knowing who is asking for verification
* This method is more private than anything requiring sharing your photo-id online
* This method doesn't trigger GLBA or GDPR (user copies data themselves)
* This method is free to the merchant (hornpub)
This is called "linkability" and ideally should be avoided so anonymous age verification can be safe.
Further, if you put on an adblocker and I get access to the logs at ironbank and hornpub; I could just query them for your IP address.
Collusion to this degree is possible, but doesn't seem worth worrying about if the aforementioned attack vectors still exist. My $0.02.