https://bmi.usercontent.opencode.de/eudi-wallet/wallet-development-documentation-public/latest/architecture-concept/06-mobile-devices/02-mdvm/
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx I read to non-duplication of the keys, so I'm now confident they are completely incompetent. This is the security approach you would use for a entry system, i.e. a digital key to open a door, and you want to keep the same rules you had before for people who were granted access: one key per person, and when you fire that person or restrict their access to that door, you get the key back.
This is not what the ID wallet is about: it's about replacing a written signature, and showing official documents that are bound to a person. It is no problem at all to have those copied on multiple devices, as long as you check that it's the right person accessing the wallet the moment it creates a signature or shows an ID card.
On the other hand, the single non-copy device still allows the Steffie Graf autograph attack, or, for key entry: you could temporarily lend your unique key to someone else who uses it to enter the secret room and takes out things or data or whatever, and afterwards returns the key to you (you can even pretend it was stolen and returned without you noticing). The actually required access control doesn't happen, but instead some bullshit happens, especially, your valuable IDs, certificates etc. are now bound to a device that can get lost or break, without easy backup.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
-
@pojntfx Oder auch @dsk @CCC @echo_pbreyer @digitalcourage :
Was haltet ihr von eID, die nur über Google/Apple funktionieren?
-
@pojntfx I read to non-duplication of the keys, so I'm now confident they are completely incompetent. This is the security approach you would use for a entry system, i.e. a digital key to open a door, and you want to keep the same rules you had before for people who were granted access: one key per person, and when you fire that person or restrict their access to that door, you get the key back.
This is not what the ID wallet is about: it's about replacing a written signature, and showing official documents that are bound to a person. It is no problem at all to have those copied on multiple devices, as long as you check that it's the right person accessing the wallet the moment it creates a signature or shows an ID card.
On the other hand, the single non-copy device still allows the Steffie Graf autograph attack, or, for key entry: you could temporarily lend your unique key to someone else who uses it to enter the secret room and takes out things or data or whatever, and afterwards returns the key to you (you can even pretend it was stolen and returned without you noticing). The actually required access control doesn't happen, but instead some bullshit happens, especially, your valuable IDs, certificates etc. are now bound to a device that can get lost or break, without easy backup.
@forthy42 @pojntfx I guess the (not-so-easy) backup method would be to acquire eIDs from multiple member states (the Estonian e-residence would probably be one of the easier additional ones to get) and then rely on the cross-border mutual recognition which I believe EIDAS guarantees? I hope the German wallet will work with other European eIDs?
Would this address the issue if one still needs some approved device with Google Play Services and some Google profile? -
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx
And we shall refuse to use it! -
@fallbackerik @pojntfx @arjen the existence of other apps which were downloaded from other stores/spurces wouldn't be an issue
But if you use a phone without Google play services (e.g. lineageOS (although play services can be added later) or grapheneOS) or a rooted phone you won't be able to use that app at all
Maybe just having an unlocked bootloader would keep you from using it (that depends on what level of the device integrity the app requires)@fallbackerik @pojntfx @arjen with an unlocked bootloader (even if you didn't modify the system in any way (although having an unlocked bootloader just for fun isn't a good idea. But it is necessary if you want to install custom ROMs. So if the manufacturer of your phone adds some stuff you don't want and you just want to install vanilla android (without root and with Google play services) you need to unlock your bootloader)) you fail the play protect certification
-
@pojntfx Thing is: we must NEVER accept any digital-only solution for things like this (IDs, license etc.). Analouge/offline life must ALWAYS be possible!
...regardless of where it's hosted.
@Bebef @pojntfx yeah, i know you can take a picture of your license here in the us and give your phone to a cop in some places, but i would never. rather just hand over my physical license card i paid way too much money for and always carry with me outside the house. just like my phone, but im not handing that to anyone, nor my physical wallet.
-
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
Sorry, digital drivers license and Germany? I cannot make these ends meet.
Felicitas Pojtinger
@pojntfx
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police -
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
It is TOTALLY unrealistic this project even works by end of the year. And then it’s gonna been shutdown five to 20 times because of mostly naive yet fundamental design flaws.
-
@Bebef @pojntfx yeah, i know you can take a picture of your license here in the us and give your phone to a cop in some places, but i would never. rather just hand over my physical license card i paid way too much money for and always carry with me outside the house. just like my phone, but im not handing that to anyone, nor my physical wallet.
@makeitmythic @pojntfx "Too much money" is a funny thing to say for a US driving license. German prices are in the $4k ball park.
Not trying to diminish anything, just giving a point of reference.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx This is european retardation not exclusif to germany
-
@fallbackerik @pojntfx @arjen the existence of other apps which were downloaded from other stores/spurces wouldn't be an issue
But if you use a phone without Google play services (e.g. lineageOS (although play services can be added later) or grapheneOS) or a rooted phone you won't be able to use that app at all
Maybe just having an unlocked bootloader would keep you from using it (that depends on what level of the device integrity the app requires) -
I've said it before an I'll say it again: This entire project of identity verification with Apple/Google-account bound mobile devices is going to lead the continent down a dark, dark path into full technological submission to the US
@pojntfx
Is it a Telekom-SAP project? -
I've said it before an I'll say it again: This entire project of identity verification with Apple/Google-account bound mobile devices is going to lead the continent down a dark, dark path into full technological submission to the US
it'll probably be even more fun for non-resident (dual) citizens who don't (for whatever reason) have a based in Germany mobile phone account - and thus have no access to install whatever authentication mechanism is required.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
the Estonian eID system seems to work pretty well and doesn't require any 3rd party corporate account to work.
even works for e-Residents who don't live in Estonia, nor have Estonian citizenship
-
@david @pojntfx I was mostly thinking of NLWallet, which is actually government backed/owned. As far as I know it’s ZKP, and it’s even open-ish (not GPL, but at least source-available). You can build it from source yourself.
But I’m not as knowledgeable on the matter as @pojntfx, so I could absolutely be missing something here on the implementation of zero knowledge here.
See their GitHub page here: https://github.com/MinBZK/nl-wallet
@sstendahl @david @pojntfx is yivi operating on the same trust level?
-
@makeitmythic @pojntfx "Too much money" is a funny thing to say for a US driving license. German prices are in the $4k ball park.
Not trying to diminish anything, just giving a point of reference.
-
@fallbackerik @pojntfx @arjen
Ah, you were talking about *that* app being installed via fdroid, got itI'm not sure if it follows from that document that they will require installation via the play store but they mention the check for that ("accountDetails.appLicensingVerdict") so they collect it at least
OP only mentions that you need a Google account to install the app from Google play, I'm not sure if the play integrity checks work without an account or if it is needed for that
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Hopefully the huge legal issues with this will delay it.
-
@fallbackerik @pojntfx @arjen
Ah, you were talking about *that* app being installed via fdroid, got itI'm not sure if it follows from that document that they will require installation via the play store but they mention the check for that ("accountDetails.appLicensingVerdict") so they collect it at least
OP only mentions that you need a Google account to install the app from Google play, I'm not sure if the play integrity checks work without an account or if it is needed for that
@fallbackerik @pojntfx @arjen so yeah, good point, maybe you don't need an account, but it still wouldn't work an a degoogled phone
So maybe it's not as bad, but still badAnd I'm not sure if people who are banned from having a Google account are also forbidden from using those other Google services (without an account)
(Of course you could still just use them, how will they know it's you? But we shouldn't expect people to break end user agreements)
