Hacker News

German implementer here. We have to use some kind of attestation mechanism per the eIDAS implementing acts. That doesn't work without operating system support.

The initial limitation to Google/Android is not great, we know that, and we have support for other OSs on our list (like, e.g., GrapheneOS). It is simply a matter of where we focus our energy at the moment, not that we don't see the issues.

I attestation should be abolished altogether. An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system. It is up to each individual to ensure the security of their own device. App developers should do no more than offer recommendations. If someone wants to use GrapheneOS, root their device (not recommended), or run the whole thing in an emulator, a homemade compatibility layer under Linux, or a custom port for MS-DOS, that should be possible.

What if you „lose“ your google / apple account, like this sanctioned judge of the international criminal court? Crazy to imagine that we are still baking in dependency on US providers in european societies, even though there is clear indications we should be doing the opposite?

I am shocked that there isn’t more opposition from the general public to policies like this that erode privacy and freedom. I am a parent and can appreciate the need to control what children do on the internet, but at some point parents need to parent. I fear we’re giving up a lot of freedom and adding unneeded complexity under the guise of keeping children safe.

It makes no sense. eIDAS 2.0 specs don't require specific hardware [0]. They basically store verifiable credentials [1] and any other cryptographically signed attestations.

This feels like laziness from German implementers, as they don't want to (quoting the spec literally) "implement a mechanism allowing the User to verify the authenticity of the Wallet Unit".

0: https://eudi.dev/latest/architecture-and-reference-framework...

1: https://eudi.dev/latest/architecture-and-reference-framework...

All these requirements for specific hardware and software are ridiculous. Let every citizen use whatever computer they want. It should be up to the user to secure themselves. Authentication should only require a password or a key pair. If the user wants more security, they can set up TOTP or buy a security dongle or something.

It's also ridiculous how it seems we've forgotten computers other than smartphones exist and that not everyone even has a smartphone, let alone with an Apple or Google account.

Does this mean sanctioned individuals, such as those in the International Criminal Court, would be unable to access eIDAS, among other things? As it requires, from my understanding, installing app(s) from the play store, thus requiring an account there and being able to access it, which isn't happening if you're among those or really, in any group that might get the same treatment in the future.

Requiring people to use products from one of two private American companies with a bad track record of locking people out of their accounts is more than “not great”. Some things are better not done if they can’t be done well.

Self Sovereign Identity (aka SSI) is the only way out of those identity sovereignty issues. It shouldn't be acceptable that your identity depends on anything or anyone. It should just be your identity.

A paper or certificate can prove an entity trusts your identity to be <firstname, lastname, etc...> but that shouldn't be your identity.

You just are. Not your google Id, not your Apple Id either of course.

Governments are lame.

I'm not quite sure if the German implementation is possible without mobile devices (couldn't find anything on that at first glance). the Austrian implementation on the other hand does not require a mobile device, if you want to do it on a pc you just need a fido2 token

ISO7816 (smartcard) has existed for nearly 4 decades as the standard secure identity card, widely used by the banking industry among others. Very unintrusive and not hostile beyond needing to carry a little chip. If governments want a national ID, they could just give everyone one of those.

That sounds like a very smart move at the time where Europe realize the US isn't such a gray partner and it's trying to reduce it's critical dependencies on foreign nations tech and infra. Good job. I'm actually very surprised to see this from the germans who have this reputation of great engineering culture

The solution is simple : https://www.europarl.europa.eu/petitions/en/artcl/I+want+to+...

Because you'll be stonewalled by devs because they can't really changer decisions made bu higher ups.

Edit: I'd sign it, but don't want manage and diffuse it.

Mastodon thread on this topic: https://mastodon.social/@pojntfx/116345677794218793

See also this issue from 2025 where the developers responded: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...

AFAICT, there is no mention of an Apple or Google account being required in general - the documentation just lists "signals" that are used to securely authenticate a person - such as Google's/Apple's security ecosystems. I am not sure what this means in practice. Can anybody with deeper understanding explain the actual implications and possible outcomes?

(Note: BMI is the German Federal Ministry for the Interior)

What does the eIDAs do?

Does this lock Germans out of society if they dont buy American tech?

Google is becoming a bit draconic. They did not allow me to create new email account, saying I already have too many accounts. But they also don't allow me to delete existing accounts, saying there is no authentication method available to access/delete those old accounts.

The Danish MitId also only runs on Google and Apple devices. No alternative phone platforms are supported including open source Android.

If you don’t have an iPhone or an android, you can get a physical one time password device.

Same in Switzerland. The app needed to sign in to fill out my taxes doesn't work on ungoogled Android.

In context of eIDAS, your phone starts to be used for much more sensitive matters than typing comments or even logging in to your bank. The repercussions from having a secretly patched bootloader can involve another person assuming your identity, including for large B2B transactions.

Requiring citizens to have (buy) some device to simply prove they are who they are seems hostile and dystopian to me. Some say it’s the future; I’m not convinced.

However, if you were to allow me to use my pocket computer (and nothing else) to prove I am who I say I am, you would want to trust that I am not pretending to be somebody else after extracting private keys from their phone or whatnot. I.e., you would want to require some sort of trusted computing.

Currently, that seems to only be provided by closed ecosystem phones.

Even still, I think it’s a mistake to be rolling out eIDAS as a mobile app first. The specification allows for this to be a dedicated hardware key (maybe even something YubiKey-like, and the EU already requires all phone manufacturers to have USB-C), so why not start with that.

As someone living in Germany, the alternative would be snail mail, which is used to send a pre-authentication code, username and then another code. This is pretty common with insurance providers, German traditional banks, etc. However, the annoying part is that if you ever forget or lose the code, then you would have to request a new one via mail that would arrive like 2 weeks after.

Time for a digital Reichstag fire. When will the germans stop repeating history ?

They're taking feedback here: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...

EU depending so much on Goo/App feels suspicious for direct lobbying, as someone noted. If I were Ursula, I would draw a red line: no US digital dependence. But the rounding error of the rounding error of these trillion dollar companies is enough to expunge the nonexistent EU infra.

Europe needs a private European identity provider. Until this happens, Europe will remain a technological vassal state of the US.

These are expensive products, you need depth of expertise and experience to create a system that could compete with the likes of gmail and Microsoft and ... so it's not a wonder that this hasn't happened yet. But pretending like this can be a public service is foolish (too high stakes ~~if~~ when it gets hacked), and pretending like existing providers that offer identity and email are sufficient is equally foolish. Google and ms and apple etc all offer the basics for free, and this is necessary for mass adoption. It will be an expensive project. But necessary, if the eu wants strategic autonomy.

---

Oh and requiring a us based account is not even the most egregious part of this proposal, ffs

That headline doesn't match the article at all. Can someone elaborate/confirm this really is the case?

It seems that many Android devices won't safisfy the requirements, even when using a device approved by Google:

> MEETS_STRONG_INTEGRITY also includes the requirement that the device has received a security patch _within the last 12 months_

Good luck with that.

Oh but isn't that great. This is just the kind of digital sovereignty these times call for.

Sometimes I wish the Germans had an island of their own somewhere up north near the american continent.

Can anyone point me to where in the MDVN page it mentions requiring Apple and Google account? Thanks

Is the link broken for anyone else? I'm getting ERR_CONNECTION_CLOSED.

Simply eIDAS must works on smart-cards and desktop USB/built-in card reader, not mobile (cr)App.

BUT government do not want sovereignty more than they want snoop on citizens.

How many billions will EU countries spend on this bull shit? Who needs it?

Possibly I‘m not smart enough to understand, but from what I see is that the implementers intend to leverage existing security architecture of Android/Google and iOS/Apple, respectively- arguably to drive adoption. The document doesn’t state anywhere that Apple / Google account is a requirement to use German eIDAS. From what I can tell, one may (continue to) use its government issued ID card with electronic signature for authentication.

Please prove me wrong, I genuinely want to understand the implication of the linked document.

Knowing the German, how much of a fiasco will this be? Many Germans despise having to go online with specific services due to "Datenschutz". Now you are telling them that they need an external (American) service in order to use this?

What I don't understand is: ELSTER (taxes) already uses electronic signatures, don't these signature already fulfil the requirements of eIDAS? Why do we even need Google/Apple?

> threats:

> unknown system image (e.g. custom ROM)

Oh no, what a horrible crime, somebody dared to modify operating system on their own device..

So much about digital sovereignty

Corporations + government = fascism.

Fascism is the reality.

And its global.

Global fascism is what is already the case.

lobbyists!

what's eIDAS?

So what was the point of putting a crypto chip into every ID if you are gonna try and reinvent the entire trusted environment in the fucking smartphone?

Well, since it happened also for my gov (France) 10 years ago, we can see this pattern happening in the whole EU.

There is a mixure of incompetence and big tech aggressive lobbying on gov 'standards' all over EU... making anything internet hard locked on big tech ultra-massively complex software, protocols and file formats.

In my country, it is the web: classic web support interop was actually killed 10 years ago. Now, only web apps requiring one of the gigantic and ultra complex web engines from the WHATNG cartel are working. No more "small' web engines (including their SDK) does work, and it did close the door for good to anything 'not big tech' (here the WHATNG cartel), what a bummer, oopsie!

In means in my country, to interact with the gov agencies and dependencies, you are now FORCED BY LAW to use only WHATNG cartel web engines. Wow, corruption (there is big public money there)? brain washing grade lobbying (what seems to be the case)? incompetence (always expected on complex matters)?

To add insult to injury, in my country, the ONLY person who have the power to fix that is the prime minister (then also the president). Oooof!

Of course, very simple classic web sites do work on 'smart phones' (apple did threaten to remove its browser... we know why: to force a technical hard dependency on them since they have a significant amount of the "market").

We all know their weak spot: a simple and stable in time, "good enough" to do the job, set of existing protocols/file formats (to protect the SDKs, I would include the computer languages, for instance excluding c++ and similar for plain and simple C and assembly to protect against the obviously ultra-complex SDK components): it will reduce dramatically the complexity and size of any current and future, local, implementations.

What's seems to be happening when I look at that: some people all over EU countries are trying to fight their way out of big tech because of gov officials probably being brain washed by lobbying (do not exclude the possibility of "corruption" and there is always some level) of incompetence which is expected).

Since it is happening in France and Germany, core of the EU...

Now what?

So much for Europe to decouple from orange-man country ...

It is so clear how lobbyists operate here. I'd call it undermining national sovereignty.

:facepalm:

The title is misleading.

App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed if Play Integrity is used. An alternative option, would be to use the Hardware Attestation API directly, GrapheneOS would be thanking you.

I've spent a good amount of time implementing exactly this type of system for a backup service.

his document specifies a way to cryptographically attest the integrity of a HTTP request hitting a server.

The attestation proves the request came from a device and attest the legitimacy of the bootloader, OS and app.

Google and Apple are in a privileged position to be able to bypass the app attestation though, so depending on the threat model, it's not bulletproof.

edit: Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.