On 2023-09-01, Don Y wrote:
> [...]
> Yet, travel to this other store, down the road, and they want to
> scan an ID to save time *reading* it.

The articles state that the purpose of the tool is to detect forgeries
(which are, by their nature, intentionally hard to detect via reading).

Has nothing to do with validating the holder of the card is old enough
to buy beer (etc.).

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

On 9/1/2023 12:47 PM, Dan Purgert wrote:
> On 2023-09-01, Don Y wrote:
>> [...]
>> Yet, travel to this other store, down the road, and they want to
>> scan an ID to save time *reading* it.
>
> The articles state that the purpose of the tool is to detect forgeries
> (which are, by their nature, intentionally hard to detect via reading).
>
> Has nothing to do with validating the holder of the card is old enough
> to buy beer (etc.).

My search criteria was "scanning drivers licenses" -- not "scanning
drivers licenses to verify age"

Note the scanner that *I* experienced had no connection to anything
other than power -- so, other than any checksums in the barcode
data, there would be nothing other than checking the "DoB" field
to see if it was legit. So, all it was doing was "saving time
reading it".

Feel free to search for any criteria *you* deem appropriate.

On 2023-09-01, Don Y wrote:
> On 9/1/2023 12:47 PM, Dan Purgert wrote:
>> On 2023-09-01, Don Y wrote:
>>> [...]
>>> Yet, travel to this other store, down the road, and they want to
>>> scan an ID to save time *reading* it.
>>
>> The articles state that the purpose of the tool is to detect forgeries
>> (which are, by their nature, intentionally hard to detect via reading).
>>
>> Has nothing to do with validating the holder of the card is old enough
>> to buy beer (etc.).
>
> My search criteria was "scanning drivers licenses" -- not "scanning
> drivers licenses to verify age"
> [...]
> Feel free to search for any criteria *you* deem appropriate.

I'm perfectly happy with your previous articles that disprove your
statements / assumptions that "the scanner only proves the holder is
over 21".

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

On 9/4/2023 5:24 AM, Dan Purgert wrote:
> On 2023-09-01, Don Y wrote:
>> On 9/1/2023 12:47 PM, Dan Purgert wrote:
>>> On 2023-09-01, Don Y wrote:
>>>> [...]
>>>> Yet, travel to this other store, down the road, and they want to
>>>> scan an ID to save time *reading* it.
>>>
>>> The articles state that the purpose of the tool is to detect forgeries
>>> (which are, by their nature, intentionally hard to detect via reading).
>>>
>>> Has nothing to do with validating the holder of the card is old enough
>>> to buy beer (etc.).
>>
>> My search criteria was "scanning drivers licenses" -- not "scanning
>> drivers licenses to verify age"
>> [...]
>> Feel free to search for any criteria *you* deem appropriate.
>
> I'm perfectly happy with your previous articles that disprove your
> statements / assumptions that "the scanner only proves the holder is
> over 21".

Problem with reading comprehension?

"BevMo! + Gopuff
@BevMo
Hi! We don't scan any information but verify the age and validity of the
license. The scanner is connected to only a power outlet. We appreciate the
feedback."

On 2023-09-04, Don Y wrote:
> On 9/4/2023 5:24 AM, Dan Purgert wrote:
>> On 2023-09-01, Don Y wrote:
>>> On 9/1/2023 12:47 PM, Dan Purgert wrote:
>>>> On 2023-09-01, Don Y wrote:
>>>>> [...]
>>>>> Yet, travel to this other store, down the road, and they want to
>>>>> scan an ID to save time *reading* it.
>>>>
>>>> The articles state that the purpose of the tool is to detect forgeries
>>>> (which are, by their nature, intentionally hard to detect via reading).
>>>>
>>>> Has nothing to do with validating the holder of the card is old enough
>>>> to buy beer (etc.).
>>>
>>> My search criteria was "scanning drivers licenses" -- not "scanning
>>> drivers licenses to verify age"
>>> [...]
>>> Feel free to search for any criteria *you* deem appropriate.
>>
>> I'm perfectly happy with your previous articles that disprove your
>> statements / assumptions that "the scanner only proves the holder is
>> over 21".
>
> Problem with reading comprehension?
>
> "BevMo! + Gopuff
> @BevMo
> Hi! We don't scan any information but verify the age and validity of the
> license. The scanner is connected to only a power outlet. We
> appreciate the feedback."

So they scan for the "validity of the license". Granted, "non expired"
doesn't mean "not-forged" (and both would mean "valid", but for
different reasons).

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

On 9/4/2023 6:10 AM, Dan Purgert wrote:
> On 2023-09-04, Don Y wrote:
>> On 9/4/2023 5:24 AM, Dan Purgert wrote:
>>> On 2023-09-01, Don Y wrote:
>>>> On 9/1/2023 12:47 PM, Dan Purgert wrote:
>>>>> On 2023-09-01, Don Y wrote:
>>>>>> [...]
>>>>>> Yet, travel to this other store, down the road, and they want to
>>>>>> scan an ID to save time *reading* it.
>>>>>
>>>>> The articles state that the purpose of the tool is to detect forgeries
>>>>> (which are, by their nature, intentionally hard to detect via reading).
>>>>>
>>>>> Has nothing to do with validating the holder of the card is old enough
>>>>> to buy beer (etc.).
>>>>
>>>> My search criteria was "scanning drivers licenses" -- not "scanning
>>>> drivers licenses to verify age"
>>>> [...]
>>>> Feel free to search for any criteria *you* deem appropriate.
>>>
>>> I'm perfectly happy with your previous articles that disprove your
>>> statements / assumptions that "the scanner only proves the holder is
>>> over 21".
>>
>> Problem with reading comprehension?
>>
>> "BevMo! + Gopuff
>> @BevMo
>> Hi! We don't scan any information but verify the age and validity of the
>> license. The scanner is connected to only a power outlet. We
>> appreciate the feedback."
>
> So they scan for the "validity of the license". Granted, "non expired"
> doesn't mean "not-forged" (and both would mean "valid", but for
> different reasons).

You can't check the validity of a credential without consulting
an authoritative reference -- using a SECURE communications
medium. Would a business that relies on making such sales
put its livelihood at risk of an equipment or comms or remote
service failure -- unless LEGISLATED to do so? Would a
legislature risk pissing off an entire industry because the
customers served by that industry likely objected to "being
tracked"?

I stated that they use a scanner to "verify your age" -- inasmuch
as liquor stores have ever "verified your age" (by EXAMINING a
credential that YOU present -- *if* even that much!)

Such an appliance would be trivial to produce, assuming the
format of the barcode is publicly available and the contents not
encrypted (which both appear to be true). Assuming, of course,
that the human agent can verify the appearance of the individual
presenting the credential roughly coincides with the information
(e.g., photo, sex) on the credential.

[The last could also be automated -- I verify the identity of
friends/neighbors that come to my front door -- but only if the
fidelity of the imagery were improved or encoded in some other
form *or* some other biometric was used]

On 2023-09-04, Don Y wrote:
> On 9/4/2023 6:10 AM, Dan Purgert wrote:
>> On 2023-09-04, Don Y wrote:
>>> On 9/4/2023 5:24 AM, Dan Purgert wrote:
>>>> On 2023-09-01, Don Y wrote:
>>>>> On 9/1/2023 12:47 PM, Dan Purgert wrote:
>>>>>> On 2023-09-01, Don Y wrote:
>>>>>>> [...]
>>>>>>> Yet, travel to this other store, down the road, and they want to
>>>>>>> scan an ID to save time *reading* it.
>>>>>>
>>>>>> The articles state that the purpose of the tool is to detect forgeries
>>>>>> (which are, by their nature, intentionally hard to detect via reading).
>>>>>>
>>>>>> Has nothing to do with validating the holder of the card is old enough
>>>>>> to buy beer (etc.).
>>>>>
>>>>> My search criteria was "scanning drivers licenses" -- not "scanning
>>>>> drivers licenses to verify age"
>>>>> [...]
>>>>> Feel free to search for any criteria *you* deem appropriate.
>>>>
>>>> I'm perfectly happy with your previous articles that disprove your
>>>> statements / assumptions that "the scanner only proves the holder is
>>>> over 21".
>>>
>>> Problem with reading comprehension?
>>>
>>> "BevMo! + Gopuff
>>> @BevMo
>>> Hi! We don't scan any information but verify the age and validity of the
>>> license. The scanner is connected to only a power outlet. We
>>> appreciate the feedback."
>>
>> So they scan for the "validity of the license". Granted, "non expired"
>> doesn't mean "not-forged" (and both would mean "valid", but for
>> different reasons).
>
> You can't check the validity of a credential without consulting
> an authoritative reference -- using a SECURE communications
> medium. Would a business that relies on making such sales

If done (and I'm not saying it is), a simple public key could trivially
validate a signed document, even whilst not connected to anything else.

An RSA 2048-bit signature is "only" 256 bytes long, and would easily fit
in a QR code on an ID (as I recall, 2048 Bytes is the max data one can
encode in a QR Code). No need at all for the internet, just check
against the state's public key stored in the device.

Worst case, this scanner thing will need to store ~500 keys (assuming
states roll new keys annually, AND issued IDs last for 10 years like a
passport. I doubt both hold true). A few updates / year isn't exactly
the end of the world.

>
> I stated that they use a scanner to "verify your age" -- inasmuch
> as liquor stores have ever "verified your age" (by EXAMINING a
> credential that YOU present -- *if* even that much!)

All of the quotes say that the scanner "verifies the ID". Minimum
requirement here is "today is not after the card's expiration date"
(although "actually issued by [STATE]" would be significantly better).

How many times do cashiers tell you "oh hey, your IDs expiring soon"
(never, right?)

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

On 9/4/2023 7:25 AM, Dan Purgert wrote:
>>> So they scan for the "validity of the license". Granted, "non expired"
>>> doesn't mean "not-forged" (and both would mean "valid", but for
>>> different reasons).
>>
>> You can't check the validity of a credential without consulting
>> an authoritative reference -- using a SECURE communications
>> medium. Would a business that relies on making such sales
>
> If done (and I'm not saying it is), a simple public key could trivially
> validate a signed document, even whilst not connected to anything else.

Authentication systems are notoriously prone to exploit.
Attack the credential or attack the process. Or both.

I recently got into an argument with someone who claimed you can't
corrupt "signed" executables: "Sure you can! Corrupt the process
that verifies the signature!" (only a fool would attack a credential
when the process is far more accessible -- to anyone having physical
access to that PC!)

> An RSA 2048-bit signature is "only" 256 bytes long, and would easily fit
> in a QR code on an ID (as I recall, 2048 Bytes is the max data one can
> encode in a QR Code). No need at all for the internet, just check
> against the state's public key stored in the device.

<https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/>

Hack the device to *not* perform the check.

Or, hack the clerk to scan a photocopy of a valid credential.

(When we were teens, we'd shop at the local Ma&Pa convenience
store -- "Red & White" -- cuz a friend's older brother worked
the register. Granted, "checks", back then, didn't rely on any
special kit other than two eyes reading a driver's license but
that ASSUMED that they actually *did* that!)

Unless each scanner is relatively unique, anyone can buy a scanner
and figure out how it needs to be hacked to make that possible.

[Folks aren't going to bother if the "stakes" are something as
trivial as "access to liquor" -- as there are so many other
ways to subvert the system -- including finding another source
that is easier to hack!]

> Worst case, this scanner thing will need to store ~500 keys (assuming
> states roll new keys annually, AND issued IDs last for 10 years like a
> passport. I doubt both hold true). A few updates / year isn't exactly
> the end of the world.

What does the vendor do when the scanner breaks -- stop selling alcohol?
(How many times do you see self-check registers "out of order")

[Buy a spare! And remember to keep BOTH "current"?]

>> I stated that they use a scanner to "verify your age" -- inasmuch
>> as liquor stores have ever "verified your age" (by EXAMINING a
>> credential that YOU present -- *if* even that much!)
>
> All of the quotes say that the scanner "verifies the ID". Minimum
> requirement here is "today is not after the card's expiration date"
> (although "actually issued by [STATE]" would be significantly better).
>
> How many times do cashiers tell you "oh hey, your IDs expiring soon"
> (never, right?)

Costco will gleefully remind me that my "ID" (membership card)
will be expiring -- as they make money from each expiration.

DL requirements vary significantly, from state to state.
When I moved here (30+ years ago), I was given *a* DL that
was valid until I turned 65 (!). When I asked "what if I *move*
before then?" "Oh, just write your new address on a slip of paper
and clip it to the license..."

(WTF?)

Growing up, a DL was valid for *4* years. And, was actually ~1/3
of a Hollerith card!

Some of this has changed as the gummit wanted to get new photos of
everyone thus mandating reissuance. Then, the TravelID requirement
came along (important if MX is a nearby neighbor). I think
AFTER 65 there are more frequent reissuance requirements because
they want to recheck your eyesight, etc. (though even THAT test
has been dumbed down)

There is a separate, parallel, system for "non driver" IDs
but I'm not familiar with its specifics.

On 2023-09-04, Don Y wrote:
> On 9/4/2023 7:25 AM, Dan Purgert wrote:
>>>> So they scan for the "validity of the license". Granted, "non expired"
>>>> doesn't mean "not-forged" (and both would mean "valid", but for
>>>> different reasons).
>>>
>>> You can't check the validity of a credential without consulting
>>> an authoritative reference -- using a SECURE communications
>>> medium. Would a business that relies on making such sales
>>
>> If done (and I'm not saying it is), a simple public key could trivially
>> validate a signed document, even whilst not connected to anything else.
>
> Authentication systems are notoriously prone to exploit.
> Attack the credential or attack the process. Or both.

Thing is (here anyway), all the state IDs aren't even issued at a
registrar anymore, but rather a central authority in the state capitol.
So, "protecting the private key" isn't that difficult.

I'm sure you can come up with all kinds of "Mission: Impossible"
scenarios for getting around the scanner ... but we're talking about
buying a 6-pack, not state secrets.

[...]

>> Worst case, this scanner thing will need to store ~500 keys (assuming
>> states roll new keys annually, AND issued IDs last for 10 years like a
>> passport. I doubt both hold true). A few updates / year isn't exactly
>> the end of the world.
>
> What does the vendor do when the scanner breaks -- stop selling alcohol?
> (How many times do you see self-check registers "out of order")

Stop validating the ID with it (barring a state mandate it *must* be
used, which nothing seems to imply is the case). Same as how they used
to pull out the old Carbon-Copy machine with creditcards when those
systems died (but well, cards these days aren't embossed anymore, so
that's kinda out the window too ;) )

It's "just another tool in the toolbox" to not accidentally "pass" an
invalid-for-whatever-reason ID.

>
> [Buy a spare! And remember to keep BOTH "current"?]

I mean, one would assume that the store has scanners at both/all
registers ... even the local ma&pa liquor shops have 2...

>> [...]
>> How many times do cashiers tell you "oh hey, your IDs expiring soon"
>> (never, right?)
>
> Costco will gleefully remind me that my "ID" (membership card)
> will be expiring -- as they make money from each expiration.

Of course they'll tell you your subscription is nearly up...

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860