this post was submitted on 29 Jul 2025
27 points (100.0% liked)

Privacy

2065 readers
24 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
27
Zero Knowledge Proofs Alone Are Not a Digital ID Solution to Protecting User Privacy (www.eff.org)
submitted 5 days ago by Blaze@piefed.zip to c/privacy@programming.dev
2 comments fedilink hide all child comments
top 2 comments
sorted by: hot top controversial new old
[โ€“] hendrik@palaver.p3x.de 7 points 5 days ago

I don't think this is true. We have mechanisms in authentication systems to prevent that. For example make requests valid for one use only. And I'd say if an attacker can ask about age every single day until a user turns 18, and by that gaining knowledge about their exact birthday, it's something like a side-channel attack and by definition not "zero" knowledge any more and needs to be handled/prevented by the implementation.

[โ€“] hansolo@lemmy.today 4 points 5 days ago

I've been saying a version of this for years.

Zero Knowledge Proofs are, yes, only half of what's needed. Much like pulling my ID from my wallet, I need to actively consent to offering the service the data I confirm. Preferably (IMO) every time it's requested.

Otherwise what's to stop verification abuse from literally turning into session hijacking? Someone sends me a phishing link and if I have ID auto-submit turned on, an attacker can in a second run my full name and ID contents as attributed to anything.