Age verification is easy. Age verification that leaves no record, is anonymous, and not circumvent-able is difficult. In the physical world it relies on the fallibility of human memory. No such luck with replicated databases.
You can get an anonymous, cryptographically signed, certified legal bearer token confirming your age only, or identity or whatever by a centralized service, be it government or high trust private organizations who need to verify your identity anyway like banks. With some smarts you can probably make such a token yourself so the root bearer token issuer doesn’t have the one you use to browse pornhub.
Perhaps a system like Privacy Pass would be ideal. Where a verifier generates a verified client a number of redeemable signed tokens for a session, but when presented by a client, the site doesn't know who that token was issued to, but they know they authenticated this person and can verify they made the token. Therefore they get access.
You're looking for a technical solution to a political problem. This tech is useless the second a law is passed that identities have to be logged. It's also useless if implementers decide to collect identifying information without telling you.
Doesn’t really matter surely, you only need to trust the identity provider not to leak your identity and your porn provider not to have a key that your identity provider can link to.
They key would be hashed with the user’s details (ip address, value in a session cookie etc) so someone else can’t reuse it. Hell there are things like elliptic curves and DH which still seem magic to me.
Now sure if the identity provider and the site work together they could negate the anonymity, but given that for the identity provider anonymisation would be the key selling feature they wouldn’t want to risk that. Mullvad I’m sure would be trustworthy enough.
> ...Who is accurately and reliably doing age verification online?
ID.me for one is doing full identity verification by looking at your face and your ID card (and I assume having a human check up on it if the algorithm doesn't work). If Apple can do their fancy cloud-AI server thing with provable attestations that they aren't saving your information, someone could build a version of this which has those kind of safeguards and which passes back an emum (UNDER_18, 18_TO_20, ADULT) rather than a name or ID number to the caller.
Whether people would trust it is again, shrug. Most people barely understand how any kind of cryptography works so at the end of the day you do your best and people make their choices on whether to trust you. But the fact is that if the system actually IS designed properly, there isn't any risk of "oh no, 2029 fascism, now Supreme Commander Trump knows what porn sites I use" because that data was never saved.
