* you add an HTTP header saying "I am a kid" * porn web servers read and handle this headers * if they don't (easy to test), they get fined

It is easy to implement, easy to monitor, and will probably just work if the government do the effort to monitor and enforce it. If not, it will just be an other DNT header

What stops a kid from saying "I am an adult" via this header without some draconian client-side enforcement?

You add draconian client-side enforcement via parent controls. You can even mandate that stores ask for whom the device will be and provision it accordingly with the flag being automatically removed in the future when the person is of age.

This cannot, of course, be achieved with open, hackable software on the client device. So you have to outlaw that.

Sorry, no.

I don't think it'll need draconian enforcement, parental controls on iOS and Android can co-exist with Linux. Having the option to enable specific filters on a client side and requiring a pass-code or OS level permissions to change them seems like a realistic way to tackle this that doesn't end in dangerous government power concentration.

As always with security, perfect is the enemy of good. A good set of hard to change - for children - client-side filters would do wonders in terms of real improvement. As much as I'm tired of the LLM hype, they might actually be a good fit for such tasks.

I don't even understand what you're getting at; as if RBAC is an alien concept? Do you think everyone should have root access to any machine they touch?

It's the parent's computer and they have a right to put a password on the BIOS and a child lock on the system that forces these types of headers, with no available bypass for the child account. Or, if they do please, have the router filter any website outside of a whitelist without a password.

We do worse for OpSec all the time?

Exactly. I'd even go one step further: If it takes access to Pr0n for kids to become really sophisticated in tech, how is this not a win too?