Age-verification without leaking birth date
This article describes the process of how to create a Legal Identity that can be used to demonstrate you have reached a certain age, without having to disclose your actual birth date. This is an important mechanism to protect the integrity of personal information, especially if the person is a child.
Creating a Preview ID application
The first step is to create a Preview Legal Identity application containing sufficient personal information so that the age can be verified. This application will have to contain sensitive personal information, including birth date. But creating a Preview application ensures the data is not stored in a searchable database or logs. Instead it is stored in encrypted form, and only during the process to validate the information. Once the preview application has been validated, a new application can be created, containing a subset of the sensitive information, and once that is completed, the sensitive information will be removed.
The personal data necessary to include in the Preview application is:
| Property | Description |
|---|---|
BDAY |
Birth Day |
BMONTH |
Borth Month |
BYEAR |
Birth Year |
AGEABOVE |
Age above the stated number of years |
Creating real ID application
Once the Preview application has been approved, a new, real ID application is made. This new application has to have a reference to the Preview application, and should only contain a subset of the properties. At a minimum, the following properties should be included:
| Property | Description |
|---|---|
PREVIEW |
Reference to the earlier Preview application. |
AGEABOVE |
Age above the stated number of years |
Once this application has been approved, the sensitive personal information will be removed as the preview application is deleted.
Proving your age
Proving your age is as simple as performing a Quick Login with the new identity. If property filters are used, include the AGEABOVE property. As the new identity contains a reduced set of information, and no birth-date (if it was removed in the second step above), only the AGEABOVE property is received, together with proof the Neuron has validated the claim.
How to set AGEABOVE
The AGEABOVE property should not be set to the age of the user, as that can leak personal information. Instead, it should be set to a legal limit required for one or more specific purposes. If there’s an age requirement in a country for a particular purpose, that age should be encoded in the AGEABOVE property. The property will be accepted if the personal information provided in the preview can be validated, and the age of the person deduced is at or above the indicated number.
As there are different age limits for different purposes and countries (for instance, 13, 15, 16, 17, 18, 20 and 21 are common limits), the site that tests the age of a user should not expect the number to be a specific value. Instead, it should expect the number to be at least a specific number. If there’s an age requirement for a service of 16 years of age, identities with any number for AGEABOVE greater or equal to 16 should be accepted as proof ther person is at least 16 years old.
Validating Electronic Travel Documents & ICAO PKI Certificates
When validating electronic Travel Documents, applications need to validate against corresponding issuer certificates not managed by the operating system. To do that, the application needs to get access to these certificates somehow, and build custom X.509 chains during validation. To avoid having such an application to embed the entire list of all these issuer certificates, a list which also get regularly updated, a new repository and package is available that publishes these certificates on Neurons where the package gets installed. Applications can easily check with the corresponding neuron and download the required certificates, based on the Authority Key Identifiers available in the Electronic Travel Document certificates.
| Information about the ICAO PKI Certificate package | |
|---|---|
| Package | IcaoPkiCertificates.package |
| Installation key | vAa0l/iFHVogQYUzm+Zs6qPsw+7lYrnyFn4MNAGA7+Gso442gJJMKjknHqka/YjM6gZZSS65HL8Adbfba1067a1a27163b905869469d6f0d |
| More information | https://github.com/Trust-Anchor-Group/IcaoPkiCertificates |
#features, #id, #kyc, #neuron, #api, #repository, #package, #new
Custom Event Sinks
From Build 2026-01-06 the IoT Gateway now supports configuration of custom Event Sinks in the gateway.config file. On the TAG Neuron, the contents of this file is editable, via the corresponding data source. From the Sources & Nodes menu in the administrative panel, the data source Gateway configuration now contains a new node called EventSinks:
Adding custom event sinks
By selecting the EventSinks node, and pressing the Add button, you can add new event sinks. The options available depend on what services are hosted on the Neuron:
Default Event Sink Types
The following event sink types are available by default, at the time of writing:
Event Filter allows you to filter out a subset of events of interest. The Event Filter sink then passes it on to child-sinks, which propagate them in accordance with their instructions.
MQTT Event Sink propagate incoming events to a topic on an MQTT broker.
Pipe Event Sink forwards events to an operating system Pipe, allowing another process on the machine access to the events.
TCP/IP Socket Event Sink sends the logged events via TCP/IP to a remote machine.
Text File Event Sink stores events in text files. By including date and time tags in the file name, a sequence of files can be generated. The event sink also automatically delete old files.
WebHook Event Sink forwards events to an external source using
POST. The protocol used depends on the URI scheme used by the Callback URI. The WebHook Event Sink can also collect and group events together, for easier processing on the recipient side.XML File Event Sink records events into XML files. Date and Time tags in the filename allow you to create a sequence of XML files generated. Old files are automatically deleted.
XMPP Event Sink sends logged events to an XMPP recipient. Child Nodes
Testing WebHooks
When developing server-to-server applications, it is important to be able to test webhooks without leaking sensitive or private information. To avoid having to use 3rd party services, such as webhook.site a new package has been made available containing a service that can be installed on any Neuron®, that allows you to view incoming POST requests in a similar fashion.
Installable Package
The Web-Hook Tester service has been made into a package that can be downloaded and installed on any TAG Neuron. If your Neuron is connected to the TAG Neuron network, you can install the package using the following information:
| Package information | |
|---|---|
| Package | TAG.WebHookTester.package |
| Installation key | Mb9pim8FTjHBnju2f2ZVNHBRbOG3VHhM7iBn26mgcvc/uwjouWjHEF0OmcC/noKEuZAOWZY6Ka4A4abb4fc2a2596e04f047400e3218dcd2 |
| Repository | WebHookTester repository at GitHub |
Installing the package via the administrative console (Chat Admin), can be done using the following command:
install nobackup TAG.WebHookTester.package Mb9pim8FTjHBnju2f2ZVNHBRbOG3VHhM7iBn26mgcvc/uwjouWjHEF0OmcC/noKEuZAOWZY6Ka4A4abb4fc2a2596e04f047400e3218dcd2
Starting service
The WebHook tester service appears in the administrative portal, in the Software section:
Pressing it, opens the following page: https://lab.tagroot.io/WebHookTester/Show.md
Note: This page does not require client authentication, and can be used anonymously.
Note 2: You can also use the script prompt to make custom POST calls to the page. This requires elevated privileges however, and cannot be done anonymously.
Creating a Page
Enter an ID and press the Start button to create a new page you can POST to. Since the service can be accessible by anyone, use an ID that is difficult to guess, if you do not want others to get easy access to the information. Press the Randomize button to create a random ID. You can customize the random ID to remember the purpose of the page, if you have multiple pages open.
Test Page
When you press the Start button, a new page is opened. It contains instructions how you can POST to the page:
Use the URL presented to POST to the page. If you want to test a back-end service integration, this is the URL you provide as a webhook callback URL. Any POST made to this URL will be displayed on the page.
Note: Nothing is saved or persisted on the page. The page does not remember previous POSTs, so if you refresh the page you loose the information on the page.
Note 2: Make sure to differentiate between the URL of the page (which points to a resource with extension .md) and the URL to POST to (which points to a resource with extension .ws).
Incoming POSTs
As soon as an incoming POST is made, it is displayed on the page as follows. It displays the time of the event, any HTTP headers in the request, together with a textual representation of the payload (if content is text-based), as well as the binary payload, BASE64-encoded. Each POST is presented in its own SECTION tag on the page.
Responses
The response to a POST call to the resource will be a JSON object with one property called Forwarded, which indicate the number of pages the information was forwarded to. If this number is 0, the page has closed or lost contact with the Neuron. Example:
{
"Forwarded":1
}
Tunneling POST request over XMPP
As the Neuron is connected to the XMPP network as well, since it is hosted on the IoT Gateway, the POST request can be tunneled over the XMPP network using the httpx:// URI scheme. This permits you to do callbacks to local development machines, or machines not accessible via the Internet.
To achieve this, you need to perform the call from another instance hosted on the IoT Gateway. It can be the IoT Gateway itself, Lil’Sis’ or another instance of the TAG Neuron, including a development version on a local machine. You replace the https scheme in the URI with the httpx URI scheme, and replace the host with the JID of the recipient. For the call to succeed, the sender and receiver need to be friends, i.e. have approved presence subscriptions, for the call over XMPP to be possible.
This can be easily tested using the script prompt:
Note: Any software using the Waher.Content Internet Content-Type abstraction, and the InternetContent content access methods, together with the Waher.Networking.XMPP.HTTPX library (containing the httpx URI scheme definition) will automatically support httpx URIs.
Note 2: Since the QuickLogin API and RemoteLogin API are both hosted on the TAG Neuron®, you can register httpx callback URIs with these APIs. This makes it possible to host the recipient service behind a firewall, as long as it supports the HTTP over XMPP protocol
Auto-signing contract proposals using LegalLab
It is now possible to let LegalLab auto-sign contract proposals for you, simplifying often occurring tasks during development. You enable this feature by checking the “Auto-sign contract proposals” checkbox in the Create Contract tab. The feature is only available when LegalLab is connected. If this checkbox is enabled when a contract proposal is received, the contract will be automatically loaded and presented, and LegalLab will automatically sign the contract for the proposed role.
Posts tagged #features
No more posts with the given tag could be found. You can go back to the main view by selecting Home in the menu above.