https://bmi.usercontent.opencode.de/eudi-wallet/wallet-development-documentation-public/latest/architecture-concept/06-mobile-devices/02-mdvm/
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Wait, what?!
-
Tech companies writing their own rules is a "regulatory hijack"
What happens if their age verification app is hacked?
Or if these corporations are sold, bankrupt, amalgamated, or nationalized by the state?Privatization or financialization of the means for assuring identification is a very bad idea.
Remember who invests in both Google & Apple.
https://www.businessinsider.com/saudi-arabia-crown-prince-visits-apple-google-2018-4https://www.cnbc.com/2018/04/07/heres-a-look-at-who.html
This is just another effort by fossil fuel funded fascism.
-
I've said it before an I'll say it again: This entire project of identity verification with Apple/Google-account bound mobile devices is going to lead the continent down a dark, dark path into full technological submission to the US
It's completely crazy to order the world to submit to Apple/Google.
But by now, America has been doing all sorts of things that were unheard of before. They just push to get their way, if necessary start with absurd demands that they will 'tone down' so the others think they reached a compromise but that really gives America what it really wanted.
I think most politicians by now turned into profit and ego-driven maniacs, real Wannahaves who adore the Haves. -
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Is that what they meant for European Digital Sovereignity? nice...
-
Oh no... They refer to the text of the ammendment to Eidas called EU Digital Identity Wallet.
It will be law in december in Sweden, sv, "En statlig e-legitimation", de, "Ein staatlicher elektronischer Ausweis", en, "A government-issued digital ID".So if it will be like in Germany it will be a lock-in in Google Play Integrity and Apple's DCDeviceCheck attestation. Just as I suspected. Hope I will be wrong, but looks really bleak for all EU countries if this will be the outcome of the EU digital wallet thingy... EU sponsorship of the Google/Apple duopoly.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Idiots!
-
@sstendahl Yeah, if they used ZKs I can see a way to make it great. But nobody - not one single country, anywhere on earth - is doing that.
And it's not just Play Services here. Those we can emulate with e.g. the EU-funded microG. It's specifically SafetyNet/remote attestation. That one can't be swapped out in any way we currently know. It's a hard dependency on Google.
@pojntfx @sstendahl not sure if this is what you meant, but in the Netherlands the municipality of Nijmegen introduced initial support for Yivi, also available on F-Droid. That seems close, or am I missing something? See: https://docs.yivi.app/
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx reading the documenta I don't think so... At least as far as I understand they list the available signals and then they state whether these signals are used in the rightmost columns. And the play integrity related signals are listed, but mostly unused, apart from SDK version and whether there are apps that may capture content from the verification app. To quote their description of device integrity:
> rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence) + Google proprietary backend MDVM verdict to identify compromised devices (we do not know what they are actually doing in their backend)
They also state that it isn't used.
To me, this actually seems quite good -
@LunaDragofelis @tdelmas @pojntfx My bank dropped this years ago, I don't know any security researcher that actually believes this either. They probably just haven't had anyone competent look at it yet.
Hopefully this will be fixed, I'm not in Germany, but as someone who doesn't have a Google or Apple account, I'd be pretty annoyed if I couldn't use eIDAS. (Although I'll happily waste public money by doing paper tax filings if it'd get there :P)
-
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
@pojntfx As much as I am with you on the whole "account needed" thing, I think not being able to show a digital license on my phone will imepede my ability of being a functional member of society.
Or, to put it another way, you basically wrote "Everyone without a digital license no longer is a functioning member of society", which is just plain wrong.
-
@pojntfx reading the documenta I don't think so... At least as far as I understand they list the available signals and then they state whether these signals are used in the rightmost columns. And the play integrity related signals are listed, but mostly unused, apart from SDK version and whether there are apps that may capture content from the verification app. To quote their description of device integrity:
> rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence) + Google proprietary backend MDVM verdict to identify compromised devices (we do not know what they are actually doing in their backend)
They also state that it isn't used.
To me, this actually seems quite good@pojntfx what bothers me more is that they appear to forbid OS downgrades
-
@pojntfx As much as I am with you on the whole "account needed" thing, I think not being able to show a digital license on my phone will imepede my ability of being a functional member of society.
Or, to put it another way, you basically wrote "Everyone without a digital license no longer is a functioning member of society", which is just plain wrong.
@pojntfx Thing is: we must NEVER accept any digital-only solution for things like this (IDs, license etc.). Analouge/offline life must ALWAYS be possible!
...regardless of where it's hosted.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
Hallo Bundesamt für Sicherheit in der Informationstechnik.
Möchten Sie zu dem hier gerade Wellen schlagenden Thema Stellung beziehen oder Aufklärung leisten?
Dass eine deutsche digitale ID an ausländischer Infrastruktur hängt, darf doch wohl nicht sein, oder?
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx that's unfortunately very predictable. German leaders are happy to sell us out to US interests. the chancellor casually begged Trump to be allowed to help him destroy Europe
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Same for the Italian IT Wallet app. People asked on GitHub to drop Play Integrity but they refused to do it.
-
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
@pojntfx
It seems like *compatibility* with Apple or Google services for the German electronic ID wallet would be fine, but *dependence* on them is a *huge* mistake. -
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx this is so dumb. What the fuck?
-
@pojntfx This scenario raises two main conflicts:
Availability and Access: The GDPR and EU principles require that access to fundamental rights not depend on third countries. Forcing a citizen to accept the terms and conditions of a private U.S. company in order to use their state-issued identity is viewed by many regulators as coercion that invalidates the “free consent” required by the GDPR. 1/2@mjarteaga @pojntfx and who's gonna enforce the law of the state decides they won't? GDPR enforcement is already bad.
-
-
@pojntfx @sstendahl not sure if this is what you meant, but in the Netherlands the municipality of Nijmegen introduced initial support for Yivi, also available on F-Droid. That seems close, or am I missing something? See: https://docs.yivi.app/
@david @pojntfx I was mostly thinking of NLWallet, which is actually government backed/owned. As far as I know it’s ZKP, and it’s even open-ish (not GPL, but at least source-available). You can build it from source yourself.
But I’m not as knowledgeable on the matter as @pojntfx, so I could absolutely be missing something here on the implementation of zero knowledge here.
See their GitHub page here: https://github.com/MinBZK/nl-wallet
