IDology brags of the endorsement of Wine America.
“IDology’s age verification solution gives wineries an important, effective and efficient way to instantly confirm someone’s age when making remote wine sales”Let me get this straight.
I'm an underage drinker trying to work out how to get some booze for the weekend party (because I told this cute girl who might like me that I could get some). All my usual sources are dried up - my older brother is out of town, my parents liquor cabinet is locked, and the crazy bearded guy who hangs out at the beer store is in detox. My chances with the cute girl are looking slim.
Then it comes to me, I will buy wine for the party online. Wine has alcohol in it right? (I've seen my father do the Bird Dance countless times at weddings after drinking wine, there must be some). And it comes in different flavours and colours. And there is no way that the online wine store will know I'm underage. Sweet!
So the plan is as follows
1) I go to my chosen online wine retailer (a member of Wine America)
2) I learn that, in order to buy my Cabernet I must be able to prove my age. They provide a convenient link to IDology for the service
3) I create an account at IDology, claiming whatever age is necessary for me to be able to buy the wine
4) IDology asks me lots of tricky questions in order to verify my claimed age. Questions that only somebody of the right age would know - like ''Who was the ugly sister on the Brady Brunch?' (a trick, only Marsha wasn't ugly) and ''Janet Jackson's "wardrobe malfunction" displayed what part of her insecurities?'
5) With the aid of online search engines, I ace the test.
6) IDology gives me a card for the verified age.
7) I present the card to the wine retailer.
8) I place my order (30 bottles of a nice red from South Australia)
9) I wait for my order to arrive
10) 10-14 days later, I get my wine
11) the (disappointingly sober) party long ended, the cute girl ends up with the crazy bearded guy.
3) I expect that somewhere in the IDology card is a claim URI that includes the string 'age:verified'. As I see it, this approach conflates the claim with the 'metaclaim', i.e. as AuthnContext does for SAML, and PAPE does for OpenID - the justification for why an IDP is making a claim should not be part of the claim itself.