You really can't. Not with conventional weapons. Not even with nukes, really, though with nukes you could kill pretty much everyone in the population centers. Is that what you're proposing?

Those are minimums, not maximums. Devices should request new certs when they get low. Also, the three-month period is driven by expiration times. It sounds like the EU has decided they want to enforce a maximum expiration time of three months, though I think most countries I've talked to were planning monthly expirations.

And, BTW, this structure is inherited from the ISO 18013-5 security design, which I created (others contributed refinements, and the data minimization scheme was inherited from other systems, but the core design was mine). So... I know a little something about it :-)

If the issuer will collude with the verifier, they can easily and fully unmask the user's identity, because the issuer knows all of the public keys they issued, and to whom. This is a known issue, something we considered for 18013-5 and decided had to be accepted for now. There is cryptography that can solve this problem, but at least back in ~2020 when the design was finalized (a) a lot of it was still too novel and (b) wasn't supported in common hardware. I don't think either of those things have changed, and there's a further complication that there aren't any PQC algorithms with the necessary capabilities, though the existing design can be trivially updated with PQC key agreement and signature algorithms.

It's really not, because they also have the same value as thousands of others that were issued with the same timestamp. Granted that if the request (as identified by IP) is from a region with low population it will sometimes, maybe, be possible to weakly conclude that two proofs by users with same timestamp might be the same person. But this would be a very weak signal and it still doesn't tell you anything about who that person is. The IP address is a far stronger signal.

At least for 18013-5 there is a detailed threat model, but it's not in the standard because we were told that standards are supposed to say "what", not get bogged down in "why". I'm not sure if the model is published anywhere.

Or not. You can still have a stateful firewall with IPv6, and it will provide exactly as much security as a NAT device. There's no reason to require that all of your devices be able to exist on the public Internet, which is actually a pretty tall order -- especially for IoT devices that tend not go get updated as much as they should.

Doesn't work that way. There are limits to what can be achieved with air power, and we've reached them, and they're not enough to deter Iran. Said a different way: Iran has won Trump's war... unless and until he's willing to put lots of boots on the ground. And doing that would mean thousands of American soldiers will die.

Everyone with a clue knew this was the outcome of an attack on Iran. That's why previous presidents didn't do it, and why Obama negotiated the "terrible" JCPOA (which, actually, was quite good considering Iran's position). But the dumbass we have in the White House now was too stupid to listen to the advisors who told him that. Much like Putin thought with Ukraine, Trump thought it'd last a few days and he'd win.

At this point, Donnie has two choices: Invade Iran with a few hundred thousand troops, or cave and give Iran the concessions they're asking for. Well, three, I guess. He could continue blockading Iran until the world gets desperate and joins the war -- on Iran's side. Because Iran's not going to blink. They have no reason to.

I expect a lot of comments on this article to be varieties of "this is terrible"... but it's really not, and I happen to have significant knowledge here. There is a big caveat, though, which I'll explain below.

First, the basic thing that makes strong, reliable age verification possible in the EU is national ID cards. In every EU country, as far as I know, you can get a national ID card basically from birth. A few issue at birth by default, but even those that don't allow parents to apply for cards for their kids at basically any age, and it's not uncommon.

I get the widespread American resistance to a national ID card, but I really think it's misplaced. There are risks, yes, but on balance the benefits are far larger.

Second, when the EU says you can verify your age without revealing your identity, they seriously mean it. I worked on the ISO 18013-5 mobile driving license standard, and its protocol is the basis for the age verification scheme (18013-5 also supports privacy-preserving age verification). The protocol enables cryptographically-secure privacy-preserving age verification, providing, essentially, a single cryptographically-verifiable bit answering the question "Is this person over age X", for specific legally-important ages. A great deal of effort goes into ensuring that the keys used to sign the bit cannot be linked to the identity of the person. One important element of that is the signing keys are single-use, so if your prove your age to two different web sites, they can't compare notes and notice that your proof of age used the same signing key, thereby proving that whoever you are, you visited both.

Note that under the 18013-5 design, if the verifier (e.g. the web site receiving proof of age) could collaborate with the issuer (the government), they could deanonoymize the holder (the person proving their age). Work is ongoing to devise protocols using group signatures or other cryptographic constructs that make verifier/issuer collusion fruitless. It's been a couple of years since I worked in this space, so I don't know if those new approaches have gone into production, but if they haven't, they will.

The big caveat I mentioned at the top is that there is no way for these systems to verify that the person who is providing age verification is the legitimate holder of the national ID upon which it's based. That is, a kid can steal their dad's ID and use it. Because the age verification is truly, strongly anonymous, there is no way for anyone to detect or prevent this... yet.

The "yet" is because people are working on incorporating privacy-preserving biometric authentication into the scheme. This is a little tricky because to provide privacy it's critical that the biometric acquisition and matching happen entirely in the user's device (or in the chip in the national ID card). But it can be done. Making it sufficiently secure, sufficiently reliable and sufficiently cheap is a significant engineering challenge, but it's being worked on. In another decade or so, the caveat may be removed.

If all of this seems silly to you... well, the age verification for porn may be, but the privacy-preserving selective proof technologies are general-purpose, and able to answer any age verification question any many other useful questions in a strongly privacy-preserving way. In any case where you need to prove something about yourself (age, city of residence, driving privileges, etc.) right now you need to provide the complete contents of your ID, which reveals far more about you than is necessary. The combination of cryptography, secure hardware and clever protocols used in this age verification can fix that, generally, enabling us to identify, authenticate or prove things about ourselves with only the minimal information absolutely necessary. It's a good thing.

And, honestly, it's a good idea to keep very young children away from porn.

This is a terrible headline. Really one of the worst in a while, but it's actually The Guardian's fault as that is their headline as well. This is not encouraging people to use more power, but telling them WHEN they should use power. "It's windy and sunny right now, quick, wash your clothes and charge your car!"

>"Either you made an unfortunate typo or you support melting children down into soap and petrochemicals :-)"

LOL! Yes, I meant "rearing", not "rendering"!

Absolutely not. The charge/discharge round trip losses will be a few percent, maybe 10% if the batteries are in bad shape. The price difference between peak and off-peak is often 5-10X. Commercial users also get hit with demand surcharges based on the peak draw during the month and those can really make a huge difference. Using batteries to smooth out those peaks can be a bigger savings even than avoiding draw during peak times.

Even for residential use, the savings can be significant. I have batteries and I'm on a time-of-use plan that charges me 5X as much during peak hours (6-10PM) as the rest of the day. I make sure the system is set up so that I never draw any power during peak.

>"Right now there are two routers on the market - the ISP provided gateway and now Netgear. Basically everything else is off the market."

Incorrect. Ubiquiti Unifi is doing just fine. There are probably others, as well.

https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fstore.ui.com%2Fus%2Fen%2Fcat...

Incredibly unlikely. If the claimed violations are legitimate, and webXray reported them to the state plus the attempt to lean on them, Google would get slammed, hard, both legally and in the press. No way in hell Google would risk that.

>"The person who wrote this law must be one of the most utterly moronic person on earth"

How is it any less ridiculous than so-called "gun free zone" laws? Let's just pass a law that says it is illegal to have a gun in area X. But area X is not controlled, not patrolled, not searched, not secure. The only people who would abide such a law, and de-arm themselves, are exactly the good people who follow laws and have no intent of violent crime, including the people who have zero record and with concealed carry permits. Meanwhile, the criminals carrying illegally don't give a **** about laws and now have a wonderful target area where it is even LESS likely they will meet any resistance. The exact opposite of the desired outcome.

They might as well just pass a law making everywhere a "crime free zone. There, all our problems are solved! There is no shortage of stupid.

No one can make session tracking with form variables or URL arguments as reliable as it is with cookies.

>"First, the gun problem is pretty much specific to the US"

The 2A is not a "problem", nor is good people owning/carrying guns. There are problems with violence, both with and without guns, and that is not "specific to the USA". There are also problems with enforcement and follow-through for existing gun laws. Worrying about 3D printers is ridiculous. But so are many other types of "gun control" like so-called "gun-free zones."

>"Second, in a country which just this year has had 21 school shootings as of today,"

"School shootings" is a semantically-overloaded term. Most are not in the school, but on property around the school. Usually those shot are also not related to the schools and often not even during school hours. I am not saying it isn't a problem, but the data are often twisted to make it sound far worse than it is. And that is the case with the article you cited. They hide the ACTUAL data, like category of who was shot, when, exactly where (inside, outside, field, woods, parking lot), and full circumstances. Their data INCLUDES self-defense use, for example. It INCLUDES non-school gang-related activity. It INCLUDES at night or non-operating hours. It INCLUDES a public sidewalk or edge of the woods, or parking area far away from any building.

>"the real problem isn't printed guns. It's a whole set of cultural, social, political, and governance flaws which need to be fixed"

Agreed.

>"Citizens of other nations don't feel a moment of panic and start scoping out shelter and escape routes when they hear some random loud bang while walking down the street."

Neither do perhaps 99%+ of Americans. The vast majority of the gun crime is focused in small geographical spots in the USA.

>"Yet ironically, the "land of the free" is now a Fascist dictatorship"

That is, of course, nonsense.

>"Leave the 3D printers alone"

Agreed.

I have a lot of success with obscure, mostly-undocumented systems. Which models are you using? There's an enormous difference in capability level between the top-tier models and the next step down. Also a pretty big cost difference.

It can be, sure, but it's less reliable and more painful to work with.