Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0
Actual Demo: https://app.hornpub.click
How it works:
1) Go to app.horpub.click
2) Create an ephemeral passkey
3) Extract its public-key and id (this binds the credential you're creating to your device)
4) The user copies this data to their bank's Age-Verification-Section
5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key
6) The user copies this back to app.hornpub.click
7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.
8) The user's age has been verified by their bank without the bank knowing who is asking for verification
* This method is more private than anything requiring sharing your photo-id online
* This method doesn't trigger GLBA or GDPR (user copies data themselves)
* This method is free to the merchant (hornpub)
"Hey third fifth of Oregon! Do you want to triple your customer base in Oregon for the cost of a small dev team and 1 month of work?!"
> f*cking app on my phone
I need another app on my phone like I need another hole in my head...
If you're not familiar this would mean the verifier doesn't learns anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
The ZKP approach aims to prevent this attack method.
mPulse
Google Marketing Platform Meta
LinkedIn Ads
Trade Desk
Aggregate Knowledge (Trans Union)
Adobe Audience Manger
Can you elaborate on how the risk of ironbank and hornpub colluding by de-anonymizing you via rainbow tables or IP forensics is substantially greater than Chase and PornHub using - Google Marketing?
This is called "linkability" and ideally should be avoided so anonymous age verification can be safe.
What would need to happen in the United States to implement a reliable ZKP age verification system - and how long would it take to roll it out?
Asking because it feels like the Titanic has sunk, and we're eschewing a floating door because the coast guard has regulation conformant life rafts that would work better.
Anyway I'm not advocating for this solution, just addressing the question directly.
Further, if you put on an adblocker and I get access to the logs at ironbank and hornpub; I could just query them for your IP address.
Collusion to this degree is possible, but doesn't seem worth worrying about if the aforementioned attack vectors still exist. My $0.02.
I don't see this as the end all ultimate solution for age verification. I see it more as a tourniquet; imperfect - but better than bleeding to death.
Realistically at least 3-4 years, assuming they want to keep the same goals as eIDAS. I think the (software) implementation will be the least costly part, time-wise; but it takes a long time before everyone adopts a new social system. Especially in the US where there has been no precedent for digital identification. Even with full control of your own ID & and solid implementation details, there will be push-back just for suggesting that people/companies should adopt it.