Comment by nip
12 hours ago
In light of all of these shortcomings with platform attestation, why go with the eIDAS 2 wallet approach at all? eIDAS 1 already solved this with Mobile-ID (SIM-based, no Google/Apple dependency) and Smart-ID (server-side key management with minimal platform reliance). What does the wallet model give you that justifies this level of dependency on two American corporations’ proprietary backends?
Especially considering that mobile-ID has been around since 2007.
SIM-based solutions are on their way out because phones are starting to lose SIM slots. Certifying eSIM implementations to the same EAL level (as Mobile-ID SIMs are) is way way too difficult. At least for one country doing it alone.
Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).
Agree on Smart-ID but the answer is to fix those flaws, not to replace the entire approach with one that depends on Google Play Integrity verdicts that even the German architects admit they can’t fully trust.
SIM-based solutions on their way out is a non-issue. For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.
> Agree on Smart-ID but the answer is to fix those flaws
Fundamentally can't be, it'd be a whole new solution.
> For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.
Mandate every phone vendor to EAL4(+) certify their eSIMs? I'd love to see that, but I'm not sure that's a viable approach to take.
EIDAS 2 motivation is implicitly that eID failed in eIDAS 1. It simply either didn't take off or didn't work at all
I’m sorry to lash out at you but I keep getting disappointed in European countries (more precisely the ever disappointing EU commission) all suffering of the NIH syndrome instead of collaborating and learning from each other
There is mothing to be gained politically by doing this. You think you look good if you say “hey, the Poles had this really good idea, how about we do the same”?
Plus, the process is something like:
- we want to do $something
- hire consultants to help us define $something and produce a document
- hire other consultants to write the specs for the project
- launch an RFP
- select a winner
- wait for the implementation to finish
All the proposed solutions will be something paid, ideally made by a really large company to lend it credibility, and with maintenance costs that justify hiring dedicated people for it.
In the end no one gets what they want.
You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?
> You think you look good if you say “hey, the Poles had this really good idea, how about we do the same”?
Yes.
> You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?
Using the Estonian system would be vastly preferable.
If politics doesn’t allow that, the political environment is broken.
1 reply →
Isn't the eIDAS 2 wallet approach a legal requirement of eIDAS 2 (which is an EU regulation, i.e. the law).
It is, mandated by the EU commission.
Instead they could have mandated the use of eIDAS 1 to all countries + extend it with attribute/credential support, and let countries choose their implementation (cards, SIM, server-side).
Instead we’re back to the drawing board with the big shortcomings highlighted in this thread.
Oh OK, I understand your point now.