Comment by dathinab
3 days ago
> Why was this decision ever made?
because it wasn't made
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
Have you seen our President? Minor conveniences are what trigger him into launching full blown DOJ investigations, wars, and economic disaster. If he realizes he can just "turn off" the EU, oh, he will threaten that on Truth Social tonight in a rant about how they should make a deal or else.
An open threat like that would be the best case scenario, as it would (hopefully) cause a reaction in EU countries trying to get rid of this yoke. Instead usually it happens through backroom dealings, or just the services being a nuisance to competitors while being helpful to friendly companies, and thus the target country is drained of its resources and economic independence, slow enough to not provoke retaliation.
With the exception of the current US administration, hostile countries and corporations try to appear non-hostile when possible.
I'd like to see if he can be convinced into going after Google and effectively stopping remote attestation. One can certainly dream...
[flagged]
Friendly advice: please don't capitalize random common nouns like the president does. It's a marker of one's affinity toward precision (among other things).
you're being this pedantic about someone capitalizing "President"?
30 replies →
What does 'marker of affinity toward precision' mean?
1 reply →
> having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
How do you figure? Isn't just having the digital ID be signed by a key belonging to the issuer good enough for that?
I think they are saying the signed ID can be copied to another device. Unless such ID needs to have acces to some TPM that can be trusted, which likely requires then specific trusted hardware and software
> I think they are saying the signed ID can be copied to another device.
But that's not what a forgery is.
If something is actually important, don't put it on a computer. Don't let a computer be in the critical path of anything that actually matters. It's really quite simple. Even before "AI" this technology was not reliable enough for serious, important things--systems that need to be maintainable in adverse conditions (battle damage, etc), systems where failure is not an option (proving your identity, proving your children are yours, ...). If you care about your car, truck, tractor, or dozer being maintainable and reliable, don't get one with a computer in it. Until we can figure out how to make these things reliable and maintainable they're not to be trusted.
I feel like we need a war or something to show everyone how brittle we've built everything, and how unnecessary it all is.
> If you care about your car, truck, tractor, or dozer being maintainable and reliable, don't get one with a computer in it.
Got a list of widely available cars and trucks 'without a computer'? :D
Anything older than about 1990, some as new as early 2000s.
Can you show an example of defeating hardware attestation? It would be useful for many 3rd party ROM users.
Gaming consoles typically have hardware attestation (as in verified software on verified hardware, sealed), and it has been broken many times in the past.
I'm interested in phones.
most times it's done by (reliably re-)rooting a attested phone in a way which bypasses detection of the attestation system
so not really useful for 3rd party ROMs
Quite useful for scammers, though, which is why this is so irritating with regards to digital IDs.