> Any "verification" means unacceptable privacy violations.

So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?

In theory you can set up a system that works like this:

1. User goes to restricted site and sets up an account

2. Site forwards them on to a verification service with a request "IsOver18?"

3. User selects their bank from a dropdown on the broker site

4. Broker forwards them to the bank, with a request "IsOver18?"

5. User logs in and selects "Sure, prove I am over 18 to this request"

6. Bank sends a signed response to the broker "Yep"

7. Broker verifies and sends its own signed response to the site "Yep"

8. The site tags the account as "Over 18 Status verified"

In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.