What about a scenario brought up by a reddit user: a hotel clerk in a tourist destination handles a hundred international passports in a day. Is there some way they can surreptitiously grab a signature from each of them and use them for an attack?
Yes. Passports don't have PIN numbers attached because they're meant to be used with biometrics instead. The zero-knowledge proof of passport is really a proof of passport possession.
For a corrupt hotel clerk to create ZKPOPs they'd just have to do the same process as ordinary users - scan the photo page or type the BAC details in by hand, then NFC scan the passport chip and process the output. If a customer can see their passport at all times this shouldn't be possible without arousing suspicion. If they take it away then they could do it.
Is this a problem? Well, it's not ideal, but any security system has to make a tradeoff between usability and robustness. In this case the usability would be pretty good if you have an Android NFC phone and a laptop (the SNARKS are too intensive to create on a phone so you'd need a computer to help it), I think it'd not make setting up a node much harder. Certainly it's more complicated and lower throughput than building a botnet.
If you wanted to solve this anyway, you would have to pair it with some third party that verified your face against the passport data. For instance, pick one of N third parties who do a Skype video chat with you, where you hold up a word they give you on a piece of paper, and then it's matched against the passport. Obviously this is more complicated, expensive and involves introducing more ID verification authorities who do the face matching. It may still be easier/cheaper than what Bitcoin exchanges make people do though.
So I tried an app out with my phone and it read the biometric,photo and ID details fine. The security info says the signatures are OK but it seems there is no "Active Authentication", meaning the passport could be cloned.
Biometrics data is unreadable because it's encrypted under a key only governments have (edit: to be more precise, the passport challenges the reader which must sign with a country-specific key). The rest of the data is encrypted under a key derived from the photo page because it's just a copy of what you can already see.
AA is irrelevant for this scheme. I mentioned it in the talk only to introduce the "real" solution. AA lets you prove ownership of the passport over the internet by challenging it with a nonce that's signed, but it doesn't provide any way to hide data so it can be anonymous.