This project is not THE digital wallet, it is an early prototype of the wallet (which can be criticized for what it is, but the issue is somewhat orthogonal).
The actual infrastructure is not based on attenstation, if you read the guidelines (or the readme) they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy as some suggested. And allows for cross-platform (and in theory hardware) support.
If you're not familiar this would mean the verifier doesn't learn anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
There are some choices that are debatable (more on the issuer side iirc), but imho for the goals it has it's a competently made architecture.
This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).
The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.
It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.
[1] >>44458323
The repository we're commenting on has the following in the spec[0]: "A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP)". So given that the current spec is not in use, this seems incorrect.
> It will also be trivial to circumvent
If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug. The statement required should be scaled to the application it's used for; this is "over-asking" is considered in the law[1].
> The project is supposed to prove that age verification is viable, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better.
I agree that in it's current state it is effectively unusable due to the ZKPs being omitted.
[0]: https://github.com/eu-digital-identity-wallet/av-doc-technic... [1]: https://youtu.be/PKtklN8mOo0?si=bbqtzMhIK7cFLh6S&t=375
No, that's not what they mean. They just mean that the spec (and for now only the spec, not the implementation) will be amended with an experimental feature, while the implementation will not (yet).
I understand (?) that you are interpreting this as: "we'll later document something that we've already implemented", but this is not the case. That isn't how this project operates, and I'm intimately familiar with the codebase so I'm completely certain they haven't implemented this at all. There is no beginning or even a stub for this feature to land, which is problematic, as an unlinkable signature scheme isn't just a drop-in replacement, but requires careful design. Hence privacy by design.
> If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug.
Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.
So as we already know that the solution will be trivial to circumvent, it shouldn't be released without at least very clearly and publicly announcing it's limitations. Only if such expectations are correctly set, we have a chance not to end up in a cycle where the open source and privacy story will be abandoned in the name of security.
[1] Because of the linkable signature scheme in principle misuse can be detected by issuers, but this would be in direct contradiction with their privacy claims (namely that the issuer pinky promises not to record any issued credentials or signatures).
I can see this argument, but it has a few caveats:
- The 'faucet', providing infinite key material in an open proxy is also very vulnerable
- If the only attribute is age verification then uniqueness is not required; i.e. you can borrow the key of someone you trust and that should be fine.
- The unlinkability is a requirement from the law itself, i.e. the current implementation cannot be executed upon assuming rule of law holds
Even if it is ZKP still… whole idea is just bad. I mean whole age-veryfication done by gov is bad.
And forcing one to use smartphone is even worse.