I don't feel they resist. Quoting them:

> We understand your concerns and truly appreciate your suggestions. As previously mentioned, this is not something that is enforced by the reference implementation — these are simply recommendations, not requirements, for any wallet implementer. That said, we recognize that this is a sensitive topic, and we may need to revisit it, even at the level of recommendations.

> The README files for both the iOS and Android Wallets have been updated to mention only OWASP MASVS compliance, without referencing any specific APIs.

I understand their position, but I also get the concern, especially around existing implementations like the Italian app. I think it's mostly that they have different priorities than ensuring that the reference implementation is a perfect guideline for member states.

This looks like a good vector for a European Citizen Initiative around removing all technological dependency on non-EU providers.

Why would this be? Bureaucracy / inability to change?

Operate European tech infrastructure without a dependency on America challenge (Impossible)

For 99% of smartphone users, you can't get apps onto their phones without Apple and Google signing the app and letting you into their store, and users can't install the app without an Apple/Google account.

Why remove a dependency on Google, when you'll still be 100% dependent on Google?

Anybody working on "Digital ID" has already made peace with the fact that it can be turned off overnight if Trump says so.

So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away.

Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ...

Yes but in the real world all smartphones are either Apple or Android. Europe has zero footprint in either software or hardware. It is not creating a requirement to use specific products, it is using the products people already have.

So one may argue that the implementers are only taking the pragmatic approach regarding something that is out of their hands.

There are no alternatives.

I mean you could use Huawei and others, but the FUD campaigns against chinese manufacturers was pretty agressive in the EU.

Maybe that will force the companies to not be allowed to just lock you out of the account.

Do all German hospitals serve vegan food?

If you were averse to carrots (without any health restrictions on eating them), would every government institution in Germany be required to serve you carrot-free food?

If not, why should they be forced to accommodate every smartphone brand in existence, even if there's only 3 people in Germany using it? THe list has to end somewhere.

> Why are we not refusing to implement this until we know we can make it work on all devices?

Simply put: this will never happen. Way too many devices implementations to make this a reality.

because then it will never get done. There are still people using old Nokia phones, for those there will never be a solution.

The usual 80/20 rule applies here as well.

And if you really are a German citizen, you know how slow the wheels of government already turn in Germany, I assume next week you would be the one complaining that "Germany is so far behind" and that "other countries are so much faster at implementing stuff" :)

Do we have stats how many germans use something else than Google Android, Samsung Knox or Apple? I recon it should be less than 1% which quite honestly is in fact „all“ citizens.

What? They should freaking think of sanctions, not about "how easy is to lose Google account". Both Google and Apple are American companies. If someone lands on a sanctions list, they close your account without further notice [1].

Let me get this straight: you can be a defender of human rights, aligned with the country you live in, but if you fall in disgrace with the American government, _you can't even do transactions with your own country_.

So this is fundamentally flawed, and violates the fundamental rights of German citizens in Germany.

[1] https://www.lbc.co.uk/article/british-icc-chief-prosecutor-l...

Can't you just make a new google account then?

SIM-based solutions are on their way out because phones are starting to lose SIM slots. Certifying eSIM implementations to the same EAL level (as Mobile-ID SIMs are) is way way too difficult. At least for one country doing it alone.

Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).

I’m sorry to lash out at you but I keep getting disappointed in European countries (more precisely the ever disappointing EU commission) all suffering of the NIH syndrome instead of collaborating and learning from each other

Isn't the eIDAS 2 wallet approach a legal requirement of eIDAS 2 (which is an EU regulation, i.e. the law).

European Citizen here, and indeed lots of people in IT turn a blind eye onto the collateral damage their work may create.

I know someone who happily codes "verifiable credentials" in Elixir, disregarding all externalities.

Plenty of EU countries have rolled out SmartCards for this exact purpose, some are now adding NFC functionality. Nothing really stops Germany from continuing like that either.

The issue then becomes the UI/UX. If the legal mandate is not strong enough the solution will not gain enough ground. You can see this if you start comparing those countries with an eID rolled out.

Banks actually have high fraud rates today because of weak security mechanisms. If attackers steal your money, the bank will reimburse you. If attackers steal your identity, you are really screwed. Security requirements for banking and identity are simply different.

I'm pretty sure electronic IDs are a good starting point for exactly this. Hopefully they get wider use inside the EU.

Preventing credential duplication is a requirement to achieve high level of assurance. One of its purpose is to limit the potential damage that can be done by attacks. If credentials are bound to hardware-bound keys, attackers will always need access to this key store to make any miss-use. If you don't prevent duplication, attackers may extract credentials and miss-use them at a 1000 places simultaneously.

I’ve just had another, completely stupid but not implausible, idea:

> a local internal WSCD, which is a component within the User device, such as a SIM, e-SIM, or embedded Secure Element,

So you could issue SIM-cards / eSIM profiles that only do signatures and nothing else. The app then connects to such eSIM (and you keep your main SIM/eSIM in another slot).

The less stupid variant is, of course, to get mobile operators to issue SIM cards with e-sign capabilities. Estonia has that, for example: https://www.id.ee/en/mobile-id/

Simply because the law was written that way. But also the whole idea of identity verification becomes pretty useless, if there is no chain of trust. You could run a modified client that lets you assume any identity you choose, exactly the opposite of what eIDAS is trying to achieve.

This is necessary because the wallets contain an identity proofing functionality called PID(Person Identification Data). Showing these credentials basically approves you are you. There are high requirements for identity proofing that even pre-date wallets and that makes sense, because the potentially blast radius of identity theft is huge. Historically, these have been secured in smartcards, like eID cards or passports and are not shifting to the smartphone. Verifying the security posture of your device and app is therefore crucial.

One datapoint: at least in practice, it used to be impossible to delete an entry in the French INPI database (trademarks and company names) without eIDAS. It forced me to unearth an old unmodified Android phone (I run LineageOS on my main phone).

If you read French:

* https://www.plus.transformation.gouv.fr/experiences/4531155_...

* https://linuxfr.org/users/jch-2/journaux/l-identite-numeriqu...

They don't really want to.

They won't implement alternatives later, they'll be no point if "most of out customers is using either of the major providers".

Concerning secure enclave - what other device except iphones and Pixels have it actually safe?

Yup. But apparently the EU is refusing to take lessons from history.

It's funny because this is also the exact German response for when your neighbour has an unsanctioned BBQ.

I bet £50 that the alternative (eg GrapheneOS attestation (based on the standard AOSP attestation)) will be delayed, then delayed, then scrapped since almost everyone is using Google Plag integrity anyway.

Yes, I assume malicious intent, sorry, seen this happen enough tines recently.

Fingers crossed for the judiciary - if the implementers ignore the intention of the law, then lawyers will have to help them understand the limits of corner cutting - and block this.

The hardware tokens ate being phased out by banks and replaced with SMS OTP codes + passwords.

Cost saving measures.

Its funny to see that I can access the bank account through FaceID but to actually make a payment I need to use an SMS code.

Note that for eIDAS 1, a Czechia e-identity provider uses U2F tokens.

To play the devil’s advocate here: MEETS_STRONG_INTEGRITY on Android doesn’t require a Google account AFAIK. But it might change, of course.

Edit: but as pointed out elsewhere in the thread, Play Integrity is not the only way to do hardware attestation on Android. GrapheneOS devs have a guide: https://grapheneos.org/articles/attestation-compatibility-gu...

So avoiding proprietary Google stuff altogether is possible and we should encourage it.

No one is required to use EUDI: https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...

Companies and providers (like banks) have to support it, but use is voluntary.

Check out the spec and legal framework, it actually makes sense and is open to different implementations, though you might need to certify it.

I wonder if there will be a big enough market for a very compact smartphone equivalent device that can be used just for credentials? A device that is offline on standby except when you need it. Perhaps the size of a car key.

You're screwed. This has been the way for a while now. You cannot exist in society without a smart phone and it's only going to get worse.

Users have the right to modify any app running on their own device. Software security should never depend on the user having no control over their own device. Smartphones are essentially just regular computers, and on them you can use a debugger and do whatever you want. Viewing smartphones as closed systems like game consoles where you need the manufacturer’s permission for everything only leads us into the dystopia that Richard Stallman described as early as 1997 in his short story "The Right to Read"

Comparing being able to run the hardware and software of your choice to "wanting a passport in a different color or whatever" is so completely fucked, and it's beyond insane as a justification for giving two American tech companies with a well established track record for doing evil control over your citizens' ID.

The world has gone absolutely mad, what the fuck am I even witnessing? It is quite literally becoming 1984 in front of my eyes, with people complying completely voluntarily and openly advocating for it, not even a threat of force to make it happen.

Well, in that case, if they want full control and attestation yadda yadda, I'm fine with them shipping me a device they fully control exclusively for use of this stuff. But if we're talking about my smartphone that I paid for with my money that I worked for, I will do whatever I damn please with it. So I guess that means eIDAS will be inaccessible to me.

True, but its really hard to name a family of commercial devices with security features in hardware, including serious security features, which were not eventually hacked.

Worse still, for new mainstream devices that are believed to be safe the state sponsored actors will likely operate unpublished exploits, and will exploit the misplaced faith people and judiciary will put in device attestation. I dont think the very likeable people who worked on Pegasus found themselves respectable jobs - they are likely still selling that sophisticated crap to all authoritarian regimes.

This is not a hypothetical problem and you don't need to be deliberately targeted. It actually happens to normal people. And if it does you have absolutely zero recourse.

Source: I have a banned Google account (it's over 20 years old at this point). I know the password, but Google doesn't let me log into it. Every few years I try to unsuccessfully recover it.

If you have a Google account and having it banned would be a problem for you here's my advice: migrate. Right now. You never know when one of their bots will deem you a persona non grata.

Not sure I‘m getting what you are saying - us providers‘ capital city is always in Washington DC, no?

Sorry if I’m misunderstanding something here

The non-technical narrative is very simple: Google, Apple, or the German government can revoke your ID at any time. You cannot purchase or sell anything[1], sign any contracts, have a job, rent an apartment, use public transportation, or receive any kind of government services without an ID. This should sound extremely alarming to everyone regardless of technical knowledge.

[1] Maybe with cash, for now, but cash is clearly not long for this world, and your bank account will be inaccessible already.

> Write too many color emojis in a row on a YouTube livestream chat

> Get banned from society for life

Well, it affects a tiny percentage of people today, so why would they see it as impacting them?

But there is nothing abstract here. A private entity, situated in a country that is very hostile and pro-Russia, controls parts of the software stack and implementation here. That's a law written by lobbyists.

I think this view is too reductionist, as people can (and usually do) debate more than one topic at a time. The problem is that technological dependence isn't gaining enough precaution when commodity products are being discussed.

What worries me is that it's a real global problem in all of our non-autocratic societies. On a positive note, I can see how this is actually becoming a common understanding and gaining traction, as hyped AI products are seen by some as 3rd-party- or SaaS-killers. It seems like we know how to differentiate between independence and dependence, and evaluate any risks affiliated with such a decision. But it baffles me that this differentiation manages to float as some ironic stream in our Zeitgeist, and just barely manages to be taken seriously.

Nobody is seriously discussing speed limits right now ...

Imagine we had real democracy where people vote on issues. Speed limits? Vote once every 7 years or so on it and be done with it. Same for abortion laws, drug laws, gambling laws. Have a debate, vote, come back to it in 7 years if there is public interest. Preferably vote locally on issues that can be applied locally (like speed limits/enforcement etc.).

Public debate and assessing politicians and parties would be so much cleaner then if they couldn't use polarizing issues to rally their support and do w/e they please on all other issues.

> every energy crisis brings opportunity to saturate the airwaves with shallow noise that gets people overly upset and they’ll ignore everything else.

At least their version has an obvious solution: Make electric cars and solar panels and then stop having oil problems.

It feels like this era of hyper-individualism requires too much attention from each individual and favors those that can afford to outsource the work. While that stabilizes the role of society as a system, I feel like this is most worrisome for the less privileged in any low-trust environment.

My uncle has lost 4 Google accounts. Two to password loss, one to a fire, one to being banned for crimes against currency (having the audacity to live in several countries with different currencies)

The issue isn't the phone, it's that a __government__ is depending on an unregulated private enterprise.

I think the point is rather what percentage of people will continue to need to have a phone that is Apple or Google, due to death by a million decisions like these.

The age verification sniffing laws will come to the EU and Germany too, so your assessment is, in my opinion, too limited and incomplete. It's not really about parenting, it is about grabbing more and more data from people.

The digital Euro seems still in early planning stages. It seems people want to plan a physical card for it, but whether online payments will work without a platform dependent app is unclear for now.

Wero however is currently only planned as an android/ios app period. There are rumors that a card will come but that's only rumors for now.

In your list of groups to be baffled about I would add journalists. You see many articles about Wero mentioning digital sovereignty, but have you seen any that criticize the required banking apps only being available in google's and apple's app stores?

"Legislation will continue until morale improves."

The regulations sometimes feel like additional burden of the user, but not for the manufacturers (aside for the attestation logic); consider:

> (MEETS_STRONG_INTEGRITY requires a security patch in the last 12 months)

Think about how this essentially codifies planned obsolescence due to not forcing the manufacturers to maintain the devices for life.

> The current policy trend in the EU is definitely not based on the principle of each user evaluating their own risk.

Yes and if you look back this is not new. Just look at the extraordinary restrictions that apply to:

- What houses you can build,

- What vehicle you can drive,

- What food you can grow and sell.

The result is real estate has become unaffordable for younger people, our car industry is being annihilated, and the agriculture sector hold by a string.

The digital realm enjoyed an unusual level freedom until now because the silent and boomer generations in charge in the EU understood nothing about it.

Now that the EU is getting involved in "computers" we are starting to understand why peasants have been protesting in Brussels and calling those people insane for decades.

It should be legally required to provide enough interoperation capabilities for a compatible frontend to be written for an Apple II by whoever would like to do that, as the government can't be expected to write and maintain clients for every platform that's now in existence or that will be created in future.

If only currently popular platforms are to be supported, how could a new platform join them in the future if the use of existing ones is mandated by governments?

No, but it should be open enough to be reasonably independent of specific services and devices.

Simple, provide a simple API, let the community build the clients for the machines they have.

The problem to solve is trust.

The technical solution is a hardware root of trust. This is typically a specially hardened chip in the device. A Trusted Platform Module (TPM).

Your Apple ][ does not have a TPM. It cannot run software that can assess it's identity in a trusted manner.

You can make an argument without pulling it into the ridiculous, you know?

It definitely would be unwelcome for EU authorities in cases like the recent US sanctions against ICC officials.

Physical SIM cards are just as secure as the security enclave on the phone. In Norway few years ago banks even used that for secure authentication that worked on dumb phones with local mobile network providers pre-installing the required software on their SIM cards.

But then to save cost including the support cost banks stopped and instead started to require a non-rooted Android/iPhone.

> "but I want to install alternative Android etc etc" yes that's fine - but you know this is a non-secure-(enough) env.

I feel like this is getting to the point of gaslighting. Many of the allowed devices are bargain bin Android phones running out of date software with known vulnerabilities in both the operating system and the hardware which is supposed to be protecting the keys.

Meanwhile you could be using a hardware security module in a bank vault in a nuclear bunker surrounded by armed guards and the excuse would be that this "isn't secure" because it hasn't been approved by Google or Apple.

Governments shouldn't be requiring you to use any specific vendor or set of vendors. They should be publishing standards so that anyone who implements the standard can interact with the system.

> but you know this is a non-secure-(enough) env.

No I do not. It is plenty secure compared to a corporate version and nobody should be legally able to deny service over me having control over my own computer.

Needing the entire OS to be secure to protect a key is also a dumb idea in general.

How is that not lame?

> Austria is quite far ahead

Yeah, quite ahead in terms of making anonymous phone numbers illegal and requiring the government to know your phone number.

And if you don't want to use a smartphone, ID Austria does not work with regular FIDO security keys, you need special ones. Same for the old SmartCard system which didn't work without government-mandated malware.

Austria provides their implementation only to people with Austrian citizenship or people working in Austria

> because card reader support is still shit in browsers in 2026.

Tragedy of the commons, nobody seems to have bothered to work on it. It's not like Chromium or Firefox wouldn't accept contributions.

Nor in the physical world either. Crumbling planes, trains and automobile infrastructure. Collapsed bridges, airports that don't function properly etc.

Ah yes, the fabulous car engineering of Dieselgate.

While I agree, it'd be hard to say that SAP is not good

I wouldn't, as China being the largest single market for motor vehicles and the cutthroat competition there is what caused all this.

Everyone is trying to cut costs so as to be able to compete there and Europeans are paying the cost of financing this.

Personally I'm going to wait until the average car age in China crosses the 10-year mark to get a new vehicle. Until that happens there will be no incentive to think about longevity.

Yes. Without any issues still.

Gladly.

There was a time window 2 years ago where it appeared that I need an actual phone number to do my taxes, but even that was replaced with something more universal.

They are taking feedback there and also have already responded to some of it.

From their README:

> We are interested to receive feedback on all aspects described in the document. To provide feedback, please file an Issue on OpenCoDE.

https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...

There is a 8 months old open ticket, with an official answer, here: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...

A phone is also required then?

This is an assumption, but not confirmed.

Is there a reason this user-hostile mess is preferred over an X.509 certificate (besides big tech lobbying)?

Slovenia hands out certificates for online government services, including document signing, and it seems to be going fine, with the added benefit that Google can't take away my access.

Do you happen to know if German citizens can obtain a certificate to sign PDFs (from the government / for free)?

Several paid providers for X.509 certificates exist but document signing certificates cost around 80 € per year [0]. And if I want duplicate X.509 certificates for my redundant Yubikeys then the cost doubles.

Other providers require an initial deposit and then charge per signature [1], which leads to intransparent pricing. In the interest of open commerce, I strongly believe that securely signing an electronic document should cost the same as my manual signature, i.e. nothing.

A partial solution already exists because I can use my electronic ID card with the AusweisApp to prove my identity when interacting with German authorities. This feature is generally useful because I live outside of the EU, but I especially appreciate that I can have my OpenPGP key signed by Governikus (a government provider) to prove the key belongs to my name [2].

Technically, I should be able to use my certified PGP key to sign documents, but in practice most non techies don't know how to validate my signature. For the average user opening my signed PDF in Adobe Reader, I would need an X.509 certificate from a trusted Certificate Authority for users to see the green check mark.

[0] https://shop.certum.eu/documentsigning-certifcates.html

[1] https://www.entrust.com/products/electronic-digital-signing

[2] https://pgp.governikus.de/wizard/requirements

> inter-EU signatures

I assume this should be "intra-EU"? I'm not very familiar with eidas so I'm not sure, but afaik it's about signatures within the EU, not between different EUs (as there is only one in this world). (I hate this inter/intra wording, always have to translate it in my head to understand whether it's like internet (between networks) or like intranet (within a network). Would recommend using "within-" instead of intra whenever it's not already a well-established word, like intranet)

The gold standard for digital signatures today is

- someone sends you a docusign link

- you sign up with your email

- you sign with your name in a cutesy font

Theres a dispute? Well it was going to end up in court no matter how you signed it anyway. This has all the hallmarks of a design by committee project by people whose salary is paid regardless of demonstrating market fit, productivity, usage, plain sensibleness...

It's an NFC card that can be read with any NFC card reader, USB or smartphone based.

https://www.ausweisapp.bund.de/en/open-source I just saw that it's available in alpine.

So I tried installing it on my postmarketOS smartphone and it runs out of the box: https://i.imgur.com/nRIAyrq.png

My Shift6mq is listed has not having NFC support in postmarketOS, so I can't actually test it, but I assume the USB card reader option will work once it's supported.

The reason (or, depending on your inclinations, the excuse) for trusted computing to exist is not to guarantee that I didn’t patch the bootloader of the phone on which I type my comment; it’s to guarantee I didn’t patch the bootloader of the phone on which your grandma logs in to her bank without her knowledge.

You can bicker about the words all day long. Legitimacy, or perhaps better: authenticity, in this context, would be a bootloader or OS that doesn't allow tampering with the execution of an app.

Sorry but this is nonsense - most users, even the Linux toting power users - don't have the time, ability or knowledge to verify the contents of their OS in a way that would catch issues prevented by attestation.

The problem with modified phones containing malware is very real and unless you want a full on Apple "you're not allowed to touch the OS" model you need some kind of audited OS verification that you as a user or a security sensitive software can depend on.

I made an account because I'm qualified to talk about this topic :-) I've spent a considerable time testing every corner case of UX, and DX of an app attested service.

App attestation can fail on simulators, Graphene OS, dev builds, I've seen it all. There is one check you can do to see if an app was side loaded, so indirectly, can require Google account.

Title is still misleading though, as it explicitly mentions accounts.

I agree, there is still a reliance on the tech giants that produce the phones, who are the o'es embedding the cryptographic keys, to make this end to end attestation work.

But in pure technical & UX terms, you don't need to be logged in.