which, critically, the government can verify without knowing the user's ID
Wouldn't they know your IP address from which the request is coming? Or potentially use other browser tracking and fingerprinting tricks?
Maybe I misunderstood but it didn't sound like you were describing blind tokens issued in advance.
Thus, the government might learn that some user accessed that particular endpoint
In my view the government knowing the endpoint associated with an individual request is a critical shortcoming. It's just too short a crevasse for them to jump to get that missing piece (identity). Even if the protocol is sound there are other means (eg. force an endpoint to hand over logs, associate with authentications via timing or other characteristics, and use other tracking metadata provided by the endpoint itself or other third parties or even ISP's to figure out who accessed what). No thank you.
Also creates an easy, centralized chokepoint for more widespread censorship. Simply put, the government is not a choice actor I would trust with this type of capability. The technology is not mature enough to truly, in practice, provide the protections needed to do this right.
Wouldn't they know your IP address from which the request is coming? Or potentially use other browser tracking and fingerprinting tricks?
Maybe I misunderstood but it didn't sound like you were describing blind tokens issued in advance.
Thus, the government might learn that some user accessed that particular endpoint
In my view the government knowing the endpoint associated with an individual request is a critical shortcoming. It's just too short a crevasse for them to jump to get that missing piece (identity). Even if the protocol is sound there are other means (eg. force an endpoint to hand over logs, associate with authentications via timing or other characteristics, and use other tracking metadata provided by the endpoint itself or other third parties or even ISP's to figure out who accessed what). No thank you.
Also creates an easy, centralized chokepoint for more widespread censorship. Simply put, the government is not a choice actor I would trust with this type of capability. The technology is not mature enough to truly, in practice, provide the protections needed to do this right.