alt Hacker NewsNot necessarily. In theory, the attestation that someone is of age can be provided by a central service. The central service does not need the website account information to provide a non-fungible certificate, that you show to your service that has no way of knowing who you are from the certificate. All it needs to ensure is the certificate is used only once per account.
You can then prevent certificate forging by forwarding a cryptographic hash of the requester identity (generated by the website client), which will be included in the cert body so the website can verify the attestation was generated for this specific request, and it cannot be randomly reused.
Of course this doesn't solve the problem of using your grandma's id to bypass age restrictions, but I think that problem is worth the cost of privacy gains from corporations not validating IDs directly and screwing up like Discord's vendor did here.
Either the certificate is the same every time and therefore it's an identifier.
Or the certificate isn't the same every time and therefore you can generate a whole bunch of them and give them out for $2 apiece.
Or the certificate isn't the same every time and also isn't anonymous so they can trace who's doing that.
You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
Unless you meant the requester's real identity, in which case... we're back to not anonymous.