That's helpful, thanks. The key issue as I see it is that the issuer of the verification is still getting that request from WhateverNaughty.com, which immediately becomes a problem if this is a government issuer, etc. but it's a huge problem for any user with any issuer.
I guess the solution, and maybe this goes without saying and I've missed it in your fine posts, is that the requester is also anonymized. That way, the issuer doesn't have a record of X person requested verification for Y website. And anyone who hacks that data is going to get precisely nothing.
This only works is, as you say, this is a one-time challenge each time, and we all agree that no one is keeping/storing that data for any use anyway. After all, "is this person 18+ age" would only respond Yes/No, which is hardly actionable by anyone...as long as the asker only gets Yes/No and the Answerer doesn't know or care who's asking. :)
Are both ends anonymized?
Recommended Posts