PKI using the standard X.509 certificate that all mobile devices and PC's already support would seem the likely technology.
It's possible to assert age and not identity and it's possible without relying on government or private collection and storage of birth date and name.
The Canadian government could mimic the kind of bottom up authentication that "web of trust" systems like OpenPGP and Certification Authorities like CACert already employ. Regular civilians attesting to the minimum age of the subject. Penalties for fraudulent assurance.
I've been an OpenPGP user for thirty years and a CACert Assurer for more than ten years.
I have to confess — when I first saw your name, my immediate thought was Tiger Woods, PGA Tour — can you spare a dollar, brother? lol
But seriously, what you and the other commenter are describing cuts through a lot of the fog around this debate. The technology isn’t theoretical. PKI and X.509 certificates are already baked into every mobile device and PC on the planet. OpenPGP’s web of trust model and CACert’s assurer network have been stress-tested for decades by people who actually understand the threat surface.
The core insight is powerful: you can cryptographically assert age without asserting identity. No government database of birthdates. No private collection of names. Civilian assurers attesting to minimum age, with meaningful penalties for fraudulent attestation. Distributed, privacy-respecting, and built on infrastructure that already exists.
The honest conclusion is this: the technical solutions are mature, field-proven, and deployable. What has never been in short supply is the problem. What has always been in short supply is the political will to implement solutions that don’t also happen to serve surveillance appetites. If that will existed, the architecture is ready.
Did you ever have to work with PKI back in the day? During my last stint as a Systems Analyst, I was surprised that no one was looking at a Public Key Infrastructure for providing a digital identity using the public/private key system. If the government held the Public key server, and logins required the key exchange to decrypt the request, that would have given the user security that hacking their account would be allot more challenging, and digital signatures on forum posts, and later social media would have brought anonymity to an end.
But I can see where that would still be a step further than the government and social media are willing to go. Encryption keys off private communications that would take a quantum computer a while to break into, assuming no one built a backdoor into the encryption mechanism, which would make criminal and security investigation much harder. And it would end the social media business model of giving free access in exchange for the user’s personal data.
It will be interesting to see if the Canadian government will build a n effective and useful system for protecting online users from the predators that infest the online universe, or just pay lip service to the idea. Common Evan, now is the time to show us you were the right person for the Minister’s Chair.
Thanks for this — you’ve clearly worked at the systems level where these questions are real, not theoretical.
I don’t have a deep security background personally, but in my time working with military networks I was exposed to enough to understand the architecture you’re describing. What struck me then was the separation of privilege built into the structure — the network supervisor and the security officer held different access rights to the root of the server, neither one able to act unilaterally. That separation wasn’t bureaucratic friction, it was the security model. Two keys, two roles, one system.
Your PKI proposal has that same logic at national scale — and Estonia proved it can be built. The question for Canada isn’t technical feasibility. It’s whether the government is willing to architect something where they also don’t hold unilateral access. That’s the test.
On the Digital Safety Act — what you’re describing exposes a real gap. The Act is largely focused on content moderation obligations and, as of today’s tabling, a social media ban for users under sixteen. The identity infrastructure layer you’re pointing at isn’t in the room. This is Ottawa’s fourth attempt at online harms legislation since 2021. The previous three collapsed under the weight of competing demands from civil liberties groups, child-safety advocates, and platform lobbyists.
The ball is now in Marc Miller’s court — Minister of Canadian Identity and Culture, and the man shepherding this bill through the House. The press conference is today. Now is the time to show us the chair was well chosen.
Your instinct about the backdoor is the right one to hold onto. The encryption is only as trustworthy as the institutional commitment not to hollow it out.
Thank you for articulating a sane version of this technology. The absence of care for all in the past 25 or so years of our digital lives is now clearly exposed.
PKI using the standard X.509 certificate that all mobile devices and PC's already support would seem the likely technology.
It's possible to assert age and not identity and it's possible without relying on government or private collection and storage of birth date and name.
The Canadian government could mimic the kind of bottom up authentication that "web of trust" systems like OpenPGP and Certification Authorities like CACert already employ. Regular civilians attesting to the minimum age of the subject. Penalties for fraudulent assurance.
I've been an OpenPGP user for thirty years and a CACert Assurer for more than ten years.
I have to confess — when I first saw your name, my immediate thought was Tiger Woods, PGA Tour — can you spare a dollar, brother? lol
But seriously, what you and the other commenter are describing cuts through a lot of the fog around this debate. The technology isn’t theoretical. PKI and X.509 certificates are already baked into every mobile device and PC on the planet. OpenPGP’s web of trust model and CACert’s assurer network have been stress-tested for decades by people who actually understand the threat surface.
The core insight is powerful: you can cryptographically assert age without asserting identity. No government database of birthdates. No private collection of names. Civilian assurers attesting to minimum age, with meaningful penalties for fraudulent attestation. Distributed, privacy-respecting, and built on infrastructure that already exists.
The honest conclusion is this: the technical solutions are mature, field-proven, and deployable. What has never been in short supply is the problem. What has always been in short supply is the political will to implement solutions that don’t also happen to serve surveillance appetites. If that will existed, the architecture is ready.
I must admit you brought back some memories for me when you mentioned managing NetWare based LANs, and the power of Supervisors.
Did you ever have to work with PKI back in the day? During my last stint as a Systems Analyst, I was surprised that no one was looking at a Public Key Infrastructure for providing a digital identity using the public/private key system. If the government held the Public key server, and logins required the key exchange to decrypt the request, that would have given the user security that hacking their account would be allot more challenging, and digital signatures on forum posts, and later social media would have brought anonymity to an end.
But I can see where that would still be a step further than the government and social media are willing to go. Encryption keys off private communications that would take a quantum computer a while to break into, assuming no one built a backdoor into the encryption mechanism, which would make criminal and security investigation much harder. And it would end the social media business model of giving free access in exchange for the user’s personal data.
It will be interesting to see if the Canadian government will build a n effective and useful system for protecting online users from the predators that infest the online universe, or just pay lip service to the idea. Common Evan, now is the time to show us you were the right person for the Minister’s Chair.
Thanks for this — you’ve clearly worked at the systems level where these questions are real, not theoretical.
I don’t have a deep security background personally, but in my time working with military networks I was exposed to enough to understand the architecture you’re describing. What struck me then was the separation of privilege built into the structure — the network supervisor and the security officer held different access rights to the root of the server, neither one able to act unilaterally. That separation wasn’t bureaucratic friction, it was the security model. Two keys, two roles, one system.
Your PKI proposal has that same logic at national scale — and Estonia proved it can be built. The question for Canada isn’t technical feasibility. It’s whether the government is willing to architect something where they also don’t hold unilateral access. That’s the test.
On the Digital Safety Act — what you’re describing exposes a real gap. The Act is largely focused on content moderation obligations and, as of today’s tabling, a social media ban for users under sixteen. The identity infrastructure layer you’re pointing at isn’t in the room. This is Ottawa’s fourth attempt at online harms legislation since 2021. The previous three collapsed under the weight of competing demands from civil liberties groups, child-safety advocates, and platform lobbyists.
The ball is now in Marc Miller’s court — Minister of Canadian Identity and Culture, and the man shepherding this bill through the House. The press conference is today. Now is the time to show us the chair was well chosen.
Your instinct about the backdoor is the right one to hold onto. The encryption is only as trustworthy as the institutional commitment not to hollow it out.
— Glen
PS, I would appreciate your thoughts on how the approach you suggest could be extended to protect voting and elector lists.
Thank you for articulating a sane version of this technology. The absence of care for all in the past 25 or so years of our digital lives is now clearly exposed.