That's not to say that social groups putting limits on association is _always_ a good thing, just that it's a necessity for maintaining a healthy group.
@PriorProject @PorkrollPosadist
All the examples you provided were infrastructure, not social communities, so I think it's a poor comparison.
Instead, I'd compare AP federation to _social_ constructs. Communities, clubs, groups of friends. Even larger constructs like cities or nation states.
In _those_ examples it's clear that limiting association is commonplace and healthy.
@Toasteh Exactly, that's why the system I proposed doesn't require you to submit ID.
As mentioned in the original post I don't think these systems are worthwhile in the first place. My suggestion is just proof that you can still provide reasonable age-gating without sketchy ID systems.
It would also remain very simple for mobile connections, which I think is a major area of concern for the parents pushing for these laws.
It can't tell the difference between an adult and a child but only the adult would have access to the ISP account credentials.
You're right that, using a simple captive portal system, there's no way to differentiate between devices on the local network, but if each session is short enough that's not too big of a deal.
Let's say it requires reauthentication for each different domain and a domain will stay unblocked for only 5 minutes after traffic to that site stops.
It's imperfect, but _any_ system is going to be imperfect. I'm inclined to optimize for low friction for users and no additional PII being sent.
You wouldn't necessarily have to actually give a CA any details about yourself, just integrate this into the existing ISP portals.
An adult can log into the provider's website and click to generate any client certs they need.
I think this method is maybe a bit _too_ technical (compared to a simple captive portal like you get on public wifi) but I think it would work okay as long as end-users didn't have to go to a 3rd-party or provide any additional information to their ISP to use it.
I definitely agree that these types of blocking are ineffective and generally do more harm than good, but if governments are going to push for this stuff, it would be good to have a solution that doesn't harm people's security and privacy.
There are lots of ways around doing a full SSO integration, though.
In the simplest form, the ISP could simply use a captive portal of some sort directing the user to authenticate first.
While captive portals can't serve the correct certificate most browsers these days are smart enough to detect a captive portal redirect and give the user a smoother experience.
My scheme doesn't require any identity information to be provided by the user.
The ISP already has PII, but that's a risk that already exists today.
It might hurt their bottom line, but the big companies operate in so many different markets and I don't think there's any risk of _all_ of them enacting these types of restrictions.
I'm on mastodon, so I can't downvote (only "like", which translates to an upvote).
@ChrisWere @robert @newpipe
Syncing is fine, but I want to be in control of what is doing the syncing.