64 comments

[ 3.0 ms ] story [ 558 ms ] thread
I use coinpay’s DID it is simple anonymous and works it’s open source too
> Governments are cementing a monopoly they claim to oppose

Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.

A European digital ID system that is entirely dependent on 2 US companies.

Wasn't there some talk about the pressing need for European digital sovereignty recently? Or was that just performative nonsense?

Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.

And complement it with hardware tokens for highly sensitive applications.

Passkeys could have been that, but they were quickly subverted by the industry.

Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.

> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements

> Apple’s app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.

https://www.techrepublic.com/article/eu-app-store-apple-digi...

You think apps which wouldn't want to implement Chat Control will remain on the app store?

EU to legislate about Chat Control behind closed doors (https://news.ycombinator.com/item?id=48707719)

Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
Seif-Sovereign Identity wallets that are cross-device are the way around this, but relies on institutions following this path.

Vendor lock-in is real

Huh. This article lumps Apple in with Google when its only qualms seem to be with Google's terrible behavior. The entire article is about Google Play.
I don't know who thought that national ids should be vetted by two private companies, not even European!

No thanks, I don't want any of that for obvious security reasons

The EU reference for wallets strictly required google play services https://github.com/eu-digital-identity-wallet/eudi-app-andro...

So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.

Nothing will change until the lawsuits start coming in.

The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.

Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.

Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.

Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.

Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up

It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.

(comment deleted)
(comment deleted)
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).

That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.

As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.

Why cant EU have something like Adhar (ID-verification for Indians) https://uidai.gov.in/en/

It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.

You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.

Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.

The corporations have the tech and network effects on their side.

Digital single market, digital sovereignty and all those nice words...