The DKTB is a personal app. It is therefore assumed, that the User will not share it with other people, and that only the User can access and control their personal DKTB. Ultimately, this means that all attestations in a DKTB are expected to pertain to and only be presented by the same User. This is enforced by requiring the user to authenticate using biometry or PIN-code when using the app and only allowing the DKTB application to be installed on one device per user.
(from the PDF)
This is a false assumption: PIN codes can be bypassed by sharing them with others. Devices can be faked unless using hardware attestation, which prohibits any modifications to the device which may be undertaken by those interested in rooting or installing a custom OS.
Users can initially acquire a DKTB on their smartphone or tablet via Google Play or the Apple App store.
(from the PDF)
This method requires the use of a vanilla, unmodified device, effectively prohibiting modifications to devices that one might wish to alter.
It may theoretically be a false assumption but in practice it’s really not. The MitID identification and signing framework of Denmark, and many other similar systems across the EU, is based entirely on “the device is personal, access to it is limited and the secure enclaves within them are trustworthy”.
You are correct that this framework is not designed for anyone who wishes to root their device or install a custom OS. In other words, it cuts out 0.00000000001% of the population. The colour of the app has a bigger impact than “oh no! We can’t support rooted devices”.
There’s no such thing as anonymous age verification, you can browse the web freely without creating an account. Age verification removes that anonymity. I don’t really care about the EU age verification shit, we already have that in Germany, porn websites of course ignore that law because nobody would use their site if they had to verify everyones age. They just removed all .de domains.
Once again, have you read the EU proposal? We are, after all, talking about France here, not the UK.
The UK, no longer part of the EU, of course have gone much softer and enabled non-anonymous verification. I am of course deeply against this.
What I AM talking about is the ZKP method mandated by the EU, which is anonymous.
I’ll ignore your name calling; not very conducive to a debate.
No ZKP system can work because someone can generate hundreds of tokens and hand them out to whoever wants one.
Only the entity that owns the private key can generate signed tokens. You can read about the Danish solution, which is the first and most developed implementation of the EU’s requirements for anonymity: https://digst.dk/media/5gybwsaq/implementing-age-verification-with-danish-digital-identity-wallet-dktb-09.pdf
This is a false assumption: PIN codes can be bypassed by sharing them with others. Devices can be faked unless using hardware attestation, which prohibits any modifications to the device which may be undertaken by those interested in rooting or installing a custom OS.
This method requires the use of a vanilla, unmodified device, effectively prohibiting modifications to devices that one might wish to alter.
It may theoretically be a false assumption but in practice it’s really not. The MitID identification and signing framework of Denmark, and many other similar systems across the EU, is based entirely on “the device is personal, access to it is limited and the secure enclaves within them are trustworthy”.
You are correct that this framework is not designed for anyone who wishes to root their device or install a custom OS. In other words, it cuts out 0.00000000001% of the population. The colour of the app has a bigger impact than “oh no! We can’t support rooted devices”.
There’s no such thing as anonymous age verification, you can browse the web freely without creating an account. Age verification removes that anonymity. I don’t really care about the EU age verification shit, we already have that in Germany, porn websites of course ignore that law because nobody would use their site if they had to verify everyones age. They just removed all .de domains.