So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
5
Post
Replies:
13
Boosts:
70
@pojntfx reading the documenta I don't think so... At least as far as I understand they list the available signals and then they state whether these signals are used in the rightmost columns. And the play integrity related signals are listed, but mostly unused, apart from SDK version and whether there are apps that may capture content from the verification app. To quote their description of device integrity:
> rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence) + Google proprietary backend MDVM verdict to identify compromised devices (we do not know what they are actually doing in their backend)
They also state that it isn't used.
To me, this actually seems quite good
1
@pojntfx what bothers me more is that they appear to forbid OS downgrades
1
@hauswirtschaft_info Hallo, zu dem Thema hat das BMDS hier kommentiert: https://social.bund.de/@BMDS/116363925
1
@bsi @hauswirtschaft_info "Die Seite, nach der du gesucht hast, wurde nicht gefunden."
@pojntfx that would be terrible design, completely outrageous even. I'm not enough of a specialist to grasp that document fully, could you be so kind to teach us how you did conclude that google/apple would be a *requirement* from this document?
1
@arjen SafetyNet checks only pass on devices with unchanged, factory-sealed, non-unlockable firmware. Google has an allowlist of devices that pass that test. The same remote attestation mechanism is also used to block downloading the app through anything other than the Google Play Store, which you need a Google Account for. And you can't use Google if you're on the US sanction list (see e.g. the ICC prosecuter case). Using any open source OS of any type is also completely impossible.
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
2
@pojntfx Can my government please start following the law or at least try to...
I've said it before an I'll say it again: This entire project of identity verification with Apple/Google-account bound mobile devices is going to lead the continent down a dark, dark path into full technological submission to the US
1
@pojntfx that Google dependency is unacceptable. That said, there is no reason (other than "they want to") to require a Google account to use the Play store (to download free apps). From a GDPR perspective, that is already a breach of the law, and already should have been fixed.
1
