undefined | Better HN

0 pointsMattPalmer10864y ago0 comments

I don't think oauth 2 would give the required privacy protection.

How would the flow go? Click on an age verification link on a site. It redirects to the gov site, where you authenticate and it returns a signed claim.

Now the government knows what sites you are visiting. Not something I suspect most people will want when accessing porn sites...

0 comments

amanagnihotri4y ago

I refreshed my understanding of OAuth 2.0 and sure, its typical flows which are meant for convenience do not offer the level of privacy protection as you mention. But if we replace that convenience with some effort from the user, we can get the privacy protection as well.

The flow can be as follows:

The user authenticates itself via government's site and is presented with a page which lets them create government-signed messages using claims provided by the government.

The concerned site can generate a random string during their registration/verification process which they expect to be part of the signed message that the user is to provide them.

The user enters that random string on government's site and checks/selects the age claim for it to be included in the signed message. The government adds timestamp to it and a key id based on the private key which it used to sign the message.

The user posts the signed message on the concerned site during the registration/verification process. The site uses the government's well-known address to fetch the public key associated with the key id (mentioned in the signed message). It then uses the public key to verify the signed message alongside checking the timestamp for recency and presence of the exact random string in the signed message. Ultimately checking the age claim.

So now, instead of providing credit card details, the signed message was provided by the user which the concerned site can validate on its own without the government knowing.

MattPalmer1086OP4y ago

Well, that technically works, but it's unusable. And you would have to do that for every site that requires age verification.

It's not really oauth 2 either, even though it re-uses bits of it. There is no "flow"!

amanagnihotri4y ago

A FOSS browser extension developed and maintained by a non-profit organization, vetted/audited by other trusted third party entities can facilitate convenience in this flow, bringing the overall experience closer to a desirable state.

The websites which are to be restricted by government-imposed legalities can expose the claims they need during their registration/verification process and the browser extension can automatically retrieve those claims alongside other details as mentioned previously, and can auto-fill on the website for the user.

Since this extension acts as the intermediary client, it knows the parties involved but it preserves user's privacy accordingly due to its vetted nature and as a FOSS application.

Of course, there will be concerns regarding pushing people to use such things but if legality can force people to give out their credit card details on certain websites, then it can also push for such user-focused convenience ways to enforce the legal matters. Whether it will really happen is not in our power but technically it is a resolvable matter as put forth by the original comment.

j / k navigate · click thread line to collapse

0 comments

amanagnihotri4y ago

The flow can be as follows:

The user authenticates itself via government's site and is presented with a page which lets them create government-signed messages using claims provided by the government.

The concerned site can generate a random string during their registration/verification process which they expect to be part of the signed message that the user is to provide them.

So now, instead of providing credit card details, the signed message was provided by the user which the concerned site can validate on its own without the government knowing.

MattPalmer1086OP4y ago

Well, that technically works, but it's unusable. And you would have to do that for every site that requires age verification.

It's not really oauth 2 either, even though it re-uses bits of it. There is no "flow"!

amanagnihotri4y ago

Since this extension acts as the intermediary client, it knows the parties involved but it preserves user's privacy accordingly due to its vetted nature and as a FOSS application.

j / k navigate · click thread line to collapse