> You don't want these to be replayable (give your JWT to someone else to use) so they need to be bounded in some ways (eg intended website, time, proof it came from you and not someone else).

But these are the things that make it non-anonymous, because then instead of one token that says "is over 18" that you get once and keep forever, everyone constantly has to request zillions of tokens. Which opens up a timing attack, because then the issuer and site can collude to see that every time notbob69 signs into the website, Bob Smith requested a token, and over really quite a small number of logins to the site, that correlation becomes uniquely identifying.

Meanwhile we don't need to solve it this way, because the much better solution is to have the site provide a header that says "this content is only for adults" than to have the user provide the site with anything, and then let the user's device do what it will with that information, i.e. not show the content if the user is a minor.

▲

hirsin 2 hours ago | parent [-]

Which is why you separate the credential issuance from the credential use, per the standard mentioned.

	▲	AnthonyMouse 2 hours ago \| parent [-]
		The cryptography provides nothing to establish that this separation is actually being maintained and there is plenty of evidence (e.g. Snowden) of governments doing exactly the opposite while publicly claiming the contrary. On top of that, it's a timing attack, so all you need is the logs from both of them. Government gets breached and the logs published, all the sites learn who you are. Government becomes corrupt/authoritarian, seizes logs from sites openly or in secret (and can use the ones from e.g. Cloudflare without the site itself even knowing about it), retroactively identifies people.