I attestation should be abolished altogether. An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system. It is up to each individual to ensure the security of their own device. App developers should do no more than offer recommendations. If someone wants to use GrapheneOS, root their device (not recommended), or run the whole thing in an emulator, a homemade compatibility layer under Linux, or a custom port for MS-DOS, that should be possible.
Exactly. It's my own device, I can do whatever I please with it. There shouldn't be an automated way for apps to check if my device has been blessed by the US tech giants or not.
It’s my own device so I should be allowed to let the manufacturer make it secure so I don’t need to worry about security.
I don’t want _all_ my devices to behave like that but I definitely want my phone to be more trustworthy for banking and government service purposes.
That's not the problem at all.
The problem is that manufacturers are forcing everyone into this scheme for the express purpose of mass surveillance and control.
It has nothing to do with making your device "secure"
> I should be allowed to let the manufacturer make it secure so I don’t need to worry about security.
You can still do this by simply not rooting your phone, or replacing the manufacturer's cryptographic key with your own, or altering whatever other 'security' measures are in place. What you're asking for is to have no other choice but to give the manufacturer control over your devices.
I agree, you should be able to run anything you want, root your device, etc., but you also have to accept the consequences of that. If an app can no longer verify its own integrity, certain features are simply impossible to implement securely.
Think of it this way: A physical ID (which is what we're trying to replace here) also has limitations, it looks a certain way, has a certain size, etc. Just because somebody wants a smaller ID or one with a larger font or a passport in a different colour or whatever, doesn't mean that this should be allowed or possible. Some limitations exist for a good reason
Users have the right to modify any app running on their own device. Software security should never depend on the user having no control over their own device. Smartphones are essentially just regular computers, and on them you can use a debugger and do whatever you want. Viewing smartphones as closed systems like game consoles where you need the manufacturer’s permission for everything only leads us into the dystopia that Richard Stallman described as early as 1997 in his short story "The Right to Read"
To become dystopia people must be forced to use locked down smartphones. In reality you buy the one that suits your needs and do not enforce your design decisions on the smartphones other people use.
Where is that free choice that you see "in reality"? This post is about the opposite of that getting put in place. The actual reality is that almost every service provider is converging on supporting a few extremely restrictive options. From every private service you can think of, to key government services. They all are saying "to interact with us, you must use one of these two types of devices, with all the attestation and security measures intact". It's impossible for people to make their own design decisions or choose for themselves, because other options do not have the corporate/government blessing.
It's ridiculous that you look at all of us being forced into a government-protected duopoly, and then say "Don't you dare force your decisions on us!" to anyone suggesting that this should not be the default. Rules for us, but not them.
> They all are saying "to interact with us, you must use one of these two types of devices, with all the attestation and security measures intact"
Are you claiming that this is the only way of interacting with particular government services, with the other ways that existed before the app no longer being available? To make situation „dystopian“ this must be the case.
That is clearly the direction, yes.
First it's new and optional, then it's mature but equal, then as adoption grows further, the old way of doing things gets deprioritized and neglected, then you're a 2nd tier citizen until they finally remove it altogether.
See: Essential businesses like grocery stores going cashless
Once SafetyNet was brought to Android a decade ago the tendency has been clear - these freedoms are going to be restricted heavily.
Because how do you make sure it's the user who does those modifications, willingly and well-informed? That it's not a malicious actor, not an user getting socially engineered or phished? Incredibly difficult compared to the current alternative.
If it's not a software root of trust that provides an attestable environment like Android or iOS. It's going to be a hardware root of trust that provides an attestable hardware environment, like SGX. I can predict no other practical avenue taken. Unless the orangutan really forces a demonstration on how untrustworthy these environments can be and a lot of money and effort is spent.
You can maybe, trust the user to handle it's own certificate in their own devices? Though I admit requiring attestation is probably a good default.
One important feature of a legal ID is that it's hard to copy, so attestation from the hardware storage would have to be basically mandatory.
But yeah, the user could have a choice to this extent.
You can attest that cryptographic key material is safely stored without attesting that their operating system and software running on it is all government-approved.
That's what smartcards like Yubikey do, my government certificate is on it and it can't be exported. They could attest that but beyond that, the operating system of the host device is none of their business.
> You can attest that cryptographic key material is safely stored without attesting that their operating system and software running on it is all government-approved.
There's no proper way of doing so on Android.
Some countries, like Estonia, are providing their own SIMs to solve this problem. That indeed works. Unfortunately phones are being made that are eSIM-only and certifying eSIMs to the same EAL level is near-impossible.
[dead]
Comparing being able to run the hardware and software of your choice to "wanting a passport in a different color or whatever" is so completely fucked, and it's beyond insane as a justification for giving two American tech companies with a well established track record for doing evil control over your citizens' ID.
The world has gone absolutely mad, what the fuck am I even witnessing? It is quite literally becoming 1984 in front of my eyes, with people complying completely voluntarily and openly advocating for it, not even a threat of force to make it happen.
You keep lashing out at people in this thread.
Demanding full control over something like an ID will fundamentally not happen. The same way you won't have full control over the way passports or paper bills are made.
Take for example the expectation that some poor fool's ID can't be cloned and reused by malicious actors - full control directly contradicts that. It will not and must not be possible.
We don't need 'full control' over an ID. We need the status quo, where we have mostly have control over our devices, and where paper IDs are still the foundation of society. Things are fine the way they are. There are problems, sure, but no problems that are made better by an all-encompassing surveillance state.
If I am lashing out, it is because this is perhaps the most dangerous thing I've ever seen proposed, and it is deeply distressing how people are sleepwalking into it. To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding. I have lived with privacy, anonymity, and freedom for all of my life. If the future of this world is one where the government and Google have complete control over every single thing you do, I'd rather die having lived a satisfying life than witness the horrors that are to come.
How do you use your paper ID to to prove identity or age or citizenship to someone hundreds of kilometers away whom you are conducting an online transaction with?
It's not that important to be able to do that. You have been educated to trade your freedom for that kind of convenience, but it is not necessary.
Proof: things mostly work now without all the surveillance state shenanigans.
More proof: humans have lived full and fulfilling lives without "proving identity or age or citizenship to someone hundreds of kilometers away"
> It's not that important to be able to do that. You have been educated to trade your freedom for that kind of convenience, but it is not necessary.
It's important enough that people do so without any eID, using methods both more invasive and less reliable. Gas bills, document photos, having to take videos and pictures of yourself.
Humans have lived in caves and died of preventable diseases, it doesn't mean it's a better way of living.
>To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding.
This is honestly not a good argument - it makes you sound desperate and puts in doubt your mental stability. I don't think you actually have mental problems, I just mean this this kind of argument comes off bad.
Also nobody is forcing anyone to do anything. You don't have to own a digital ID. It just makes things easier, because you can sign things over the internet, or present your phone instead of your plastic ID. Both things already have alternatives (qualified signatures and regular physical ID), so no immediate harm is being done.
Don't get me wrong, I am personally anti bigtech, I try to degoogle as much as possible, and I find the thought of my government coercing me to use google/apple duopoly repulsive. I dislike that, but using phones (instead of for example dedicated hardware) IS pragmatic, and you are not forced to do anything.
Sent from my pixel phone.
> You don't have to own a digital ID.
For now. In 5 years you will, there is not one doubt in my mind about that. We've been on a slippery slope for (at least) 40 years straight, every year is a loss of privacy rights compared to the last, there is not a single year that reversed the trend, not a single year where we paused and stayed where we were. Once digital ID is implemented everywhere, alternatives will be quickly phased out. It's straight downhill as governments and corporations take more and more advantage of technology to build a degree of surveillance that even dystopian science fiction writers couldn't imagine.
The government, the corporations, the data brokers each individual corp sells your data to to compile a unified profile, and anyone the data brokers are willing to sell to have an unbelievable amount of information on the average citizen. They know where you live, where you are at all times, where you work, every website you visit, every Google search you've ever made, everything you purchase, all of your acquaintances, when and for how long you call those acquaintances, the full contents of any conversations you have with those acquaintances, your interests, your hobbies, your political beliefs.
I have thus far managed, I believe, to avoid the worst of the surveillance, with a tremendous amount of effort and the sacrifice of an unbelievable amount of personal convenience. But every year I find myself losing access to more and more things that I am unable to do without compromising my privacy. If it gets as far as government-mandated Google ID in my country, I think it's completely rational to kill oneself rather than live like cattle. If there were a resistance movement, I would participate in that instead, but this is happening completely voluntarily. You people want this. There is no resistance. Fine, you can have your dystopia. But there is no reason I need to be part of it, and I don't think it's a sign of mental illness to opt out. I don't much believe in living for the sake of living, you should live if it brings you happiness/satisfaction/whatever and don't if it doesn't.
> I try to degoogle as much as possible
> Sent from my pixel phone
This contradiction is not even funny. Sent from my Librem 5.
> with a well established track record for doing evil control
Can you please elaborate on that record?
The clauses are [with a well established track record for doing evil] [control over your citizens' ID], if that's not clear. I wonder from where your quote cut off if my sentence was misunderstood.
As to the well-established track record of doing evil... gestures broadly everything? Google in particular has built an empire on stripping away people's privacy, and they regularly ruin people's livelihood by eg. shutting down Youtube accounts incorrectly with automated systems and no way of ever reaching a human for support unless you're famous enough to make it a PR issue. Apple is the same, just recently with a thread on HN lamenting that Apple was destroying their business because they revoked their dev license, or in other words, a private company unilaterally revoked the ability of a business to create mobile software for billions of devices. And now we want to give them control over our IDs? ????????????????????????
Search for "Google" in my favorite submissions on HN.
Well, in that case, if they want full control and attestation yadda yadda, I'm fine with them shipping me a device they fully control exclusively for use of this stuff. But if we're talking about my smartphone that I paid for with my money that I worked for, I will do whatever I damn please with it. So I guess that means eIDAS will be inaccessible to me.
That device is a personal ID card with a chip. Many EU countries issue them.
Why not just have the Secure Enclave in the ID card and use NFC to communicate with it? Think about it, you literally have dozens of computers between you and the provider. Routers, middleboxes, load balancers, servers etc, all insecure or untrusted, but somehow my device needs to have their special rootkit and hardware DRM. A separate device that can be provisioned with ID is the least to ask. If the government doesn’t trust me with my device, fine, but then return the favor - I don’t trust them either. Both governments and corporations that are gonna use this have long track records of invasive, often illegal spying - whereas my track record is letting people mind their own business.
This is exactly what the ID cards I'm talking about are. You tap them to the phone or a desktop reader and it works. You just invented something that already exists.
eIDAS just takes this one step further and gives you an option to not have to carry your card with you. But if you refuse to have an attested phone, then you pay those 20EUR to get the ID card (which you probably need for other uses as well) and move on with your life.
> This is exactly what the ID cards I'm talking about are. You tap them to the phone or a desktop reader and it works. You just invented something that already exists.
Great, thanks for clarifying. Please be mindful not everyone are domain experts and we’re all (hopefully) trying to learn.
Now, do you know whether ID cards will work with the proposed German system for e2e online ID verification? My understanding from comments was that it doesn’t, and providers are free to require the app-based version.
In Sweden we have an app-based system now (BankID), and afaik there are no alternatives that work reliably. You have to buy an American phone every few years to participate in basic societal functions. However, the government is ”looking into” decoupling digital identity from (1) banks and (2) mandatory hardware manufacturers (iOS/Android).
True, but its really hard to name a family of commercial devices with security features in hardware, including serious security features, which were not eventually hacked.
Worse still, for new mainstream devices that are believed to be safe the state sponsored actors will likely operate unpublished exploits, and will exploit the misplaced faith people and judiciary will put in device attestation. I dont think the very likeable people who worked on Pegasus found themselves respectable jobs - they are likely still selling that sophisticated crap to all authoritarian regimes.
No. I reject this framing. It is none of anybody's business how "secure" my device ever is. A smartphone is a piece of electronics, and not a tamper evident identity device.
The German version of the eDIAS app should be completely banned from being used for age verification, if they wish to continue the project. Otherwise it effectively bans you from a sizeable portion of the internet, unless you accept unacceptable privacy violations.
> An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system.
and therefore the app cannot give a reasonable guarantee that it is not running in an adversarial environment that actively tries to break the app's integrity. Thus, the app cannot be used as a verified ID with governmental level of trust.
There's a difference between needing to lock down the whole OS and just the secure element. The secure hardware component can sign a challenge and prove possession of a private key without you being able to extract it. Smartcards have done this for decades (most people here will know an implementation under the name Yubikey).
Conveying authentic information across untrusted channels (your phone screen, say) has been a solved problem since asymmetric cryptography was invented back before I was born
All the more reason to not be requiring such things in the first place.
And that it is not required. Physical ID is still accepted
Still. Until you have to prove your age to social media websites, for which you'll be nudged to use a digital id.
Unless you'll want to make your face available to third party verification services.
If your app needs to be protected from harm, it cannot protect the user from said harm. I hoped software engineering culture was lucky to not have the same precepts that make lockpicking a crime in the real world, that we successfully make it into common knowledge that you can't grant any trust to the client, but it seems "trusted computing" is making some of us unlearn that lesson.
While this is HEAVILY off-topic i just have to say it.
"common knowledge that you can't grant any trust to the client" is the exact reason it annoys me so much when peoples solution to cheaters in video games is basically just "Rootkit my pc please"
As long as the anticheat is Client sided, you shouldnt put trust in it.
You do not have to trust the device if you can verify the information it provides, either cryptographically or by checking with an authoritative trusted server.
> governmental level of trust
This made me laugh out loud. Not because it's a meaningless phrase (where does "governmental" rank on a scale of fully to least trusted?), but because it seems to imply that governments do not have a miserable track record when it comes to IT security.
Though I suppose considering a security model sound because it uses security through obscurity like a blackbox integrity check would be very... governmental.
Does that mean "govermental level of trust" ranks somewhere between "snake-oil" and "cope"?
> an adversarial environment that actively tries to break the app's integrity
Can you elaborate on what this means? Who is the adversary? What kind of 'integrity'? This sounds like the kind of vague language DRM uses to try to obscure the fact that it sees the users as the enemy. An XBox is 'compromised' when it obeys its owner, not Microsoft.
The app is running in a virtual environment intercepting its system calls and designed to patch app‘s memory to fake an ID.
> governmental level of trust
For most governments that is a very low bar.
Exactly this. And whats more, the idea of device attestation makes people trust those devices, and the history of rooting consoles and phones proves that nothing holds, even tech backed by billions in commercial interest.
The whole point in reducing the blast radius is valid - by all means make this optional and allow the user to elect to tie their identity to the device. For everyone else, implement validation of actual transactions, not just user secrets and device secrets.
This is the original sin of modern computing. Almost all anti user features are only made possible because we didn't pass laws against "secure elements" that serve the maker and not the owner when NGSCB got announced.
[dead]