> If only currently popular platforms are to be supported, how could a new platform join them in the future if the use of existing ones is mandated by governments?
The viable solution for that is to provide a trusted hardware implementation that can be used with any computing platform that has a documented interface. It can't be a software-only implementation, basically.
Countries have centuries of experience providing attestation services through notaries. Germany is even infamous for requiring them for things that would sound ridiculous even in Brazil (both movie and country)
I can’t see why governments couldn’t incorporate this existing infrastructure into the digital world. Make them sell hardware ID wallets, enforce the real identity owner to be present to invalidate a previous ID or whatever, and add legal restrictions for the government not be able to alter these registries
> The less stupid variant is, of course, to get mobile operators to issue SIM cards with e-sign capabilities. Estonia has that, for example: https://www.id.ee/en/mobile-id/
It works great. Just keep in mind that newer phones are starting to deprecate physical SIM slots. At the same time certifying eSIM implementations to the same EAL level is an absolutely crazy task.
> At the same time certifying eSIM implementations to the same EAL level is an absolutely crazy task.
It probably is, but it does make sense. eSIM standards were built to solve pretty much the same problem (make cloning eSIM profiles impossible), so it should be a good anchor of trust for that.
Plenty of EU countries have rolled out SmartCards for this exact purpose, some are now adding NFC functionality. Nothing really stops Germany from continuing like that either.
The issue then becomes the UI/UX. If the legal mandate is not strong enough the solution will not gain enough ground. You can see this if you start comparing those countries with an eID rolled out.
Once SafetyNet was brought to Android a decade ago the tendency has been clear - these freedoms are going to be restricted heavily.
Because how do you make sure it's the user who does those modifications, willingly and well-informed? That it's not a malicious actor, not an user getting socially engineered or phished? Incredibly difficult compared to the current alternative.
If it's not a software root of trust that provides an attestable environment like Android or iOS. It's going to be a hardware root of trust that provides an attestable hardware environment, like SGX. I can predict no other practical avenue taken. Unless the orangutan really forces a demonstration on how untrustworthy these environments can be and a lot of money and effort is spent.
You can attest that cryptographic key material is safely stored without attesting that their operating system and software running on it is all government-approved.
That's what smartcards like Yubikey do, my government certificate is on it and it can't be exported. They could attest that but beyond that, the operating system of the host device is none of their business.
> You can attest that cryptographic key material is safely stored without attesting that their operating system and software running on it is all government-approved.
There's no proper way of doing so on Android.
Some countries, like Estonia, are providing their own SIMs to solve this problem. That indeed works. Unfortunately phones are being made that are eSIM-only and certifying eSIMs to the same EAL level is near-impossible.
> The ability for us as users to lie to the apps is actually essential to preserving our agency. Without that we're screwed, as now to connect ourselves to the fabric of the society we'll need to find and exploit vulnerabilities that are going to be patched as soon as they become public.
The same freedom is being abused by malicious actors. Even on Windows (like BlackLotus), but also on pre-infected phones emptying people's bank accounts. This is an incredibly unfortunate outcome, but what's the solution?
I see no other potential outcome than that free computing and trusted computing are going to be totally separate. Possibly even on the same device, but not in a way that lets anyone tamper with it.
A lot of other freedoms are being abused and always have been, but somehow we don't go and ban kitchen knives, as having them around is valuable. This is a false dichotomy. Systems can be secure and trusted by the user without having to cede control, and some risks are just not worth eliminating.
Most importantly - it's the user who needs to know whether their system has been tampered with, not apps.
False analogy. You can’t have your kitchen knife exploited by a hacker team in North Korea, who shotgun attacks half of the public Internet infrastructure and uses the proceeds to fund the national nuclear program, can you? (I somewhat exaggerate, but you get the idea.)
> Systems can be secure and trusted by the user without having to cede control
In an ideal world where users have infinite information and infinite capability to process and internalize it to become an infosec expert, sure. I don’t know about you, but most of us don’t live in that world.
I agree it’s not perfect. Having to use liquid glass and being unable to install custom watch faces is ridiculous. There’s probably an opportunity for a hardened OS which can be trusted by interested parties to not be maliciously altered, and also not force so many constraints onto users like current walled gardens do. But a fully open OS, plus an ordinary user who has no time or willingness to casually become a tptacek on the side, in addition to completely unrelated full-time job that’s getting more competitive due to LLMs and whatnot, seems more like a disaster than utopia.
> You can’t have your kitchen knife exploited by a hacker team in North Korea, who shotgun attacks half of the public Internet infrastructure and uses the proceeds to fund the national nuclear program, can you? (I somewhat exaggerate, but you get the idea.)
Isn’t the status quo, that you need to intentionally choose to allow this?
Yes (well, kinda - attested systems can be and are vulnerable too), and remote attestation is completely orthogonal to that threat anyway. Securing the boot chain does not involve letting apps verify the environment they run in, it's an extra (anti-)feature that's built on top of secure boot chains.
It's also really incredible how people can see "user being in control" and just immediately jump to "user having to be an infosec expert", as if one implied the other. You can't really discuss things in good faith in such climate :(
Bootloader patching is just what you chose to use in your original false analogy. Letting apps verify the environment they run in is just as critical for the purposes of guaranteeing the digital identity. It’s all pieces of the puzzle.
It's not. I can guarantee my identity by e.g. scanning my ID card on a system with absolutely no secure boot chain. I can also guarantee a secure boot chain with my patched bootloader. Neither of these things require apps to verify the environment they run in.
> I can guarantee my identity by e.g. scanning my ID card on a system with absolutely no secure boot chain.
Your ID card is on your phone. Go ahead, guarantee you’re not using a duplicate of someone else’s ID card, that no one could duplicate your card, with a mainstream widely available consumer phone.
> I can also guarantee a secure boot chain with my patched bootloader.
Go ahead, show how your grandma automatically guarantees to interested parties that I or whoever else didn’t patch her bootloader to run a backdoored OS, while using a mainstream widely available consumer phone.
> Neither of these things require apps to verify the environment they run in.
Demonstrate a mainstream, widely available consumer phone that does these things without requiring apps to verify the environment they run it.
We can continue this infinitely, but if you keep making sweeping contrarian statements without contributing the proof required then it’s just not worth it.
No, it's not. It lays on the desk next to me right now. I can communicate with it over NFC and I can't duplicate it. There's a debit card next to it and the same applies there - though it can also be communicated with by using a smartcard reader, which can't be done with my ID.
> guarantees to interested parties
The only interested party is my grandma, and she'll come to me to help her because her phone will stop working when the boot chain gets compromised (as it should).
> Demonstrate a mainstream, widely available consumer phone that does these things without requiring apps to verify the environment they run it.
Pretty much all of them today? Letting apps verify the environment is an extra feature built on top of secure boot chains, not the other way around. We're only having this discussion because having secure boot chains enables app attestation to work in the first place, and letting the user patch things is just a matter of key management policies. If you think these are "sweeping contrarian statements", you may want to spend some time learning how these things work.
This is not a technical problem, technical aspects have been already solved a long time ago. This is a social/political problem of who holds power over whom.
On iOS, the worst you can do is not update your OS and thus be vulnerable to exploits. There is no setting that a casual user could be social engineered into enabling that would allow the OS to be patched.
I never mentioned users having to know things (what you quoted was about the user getting informed whether their system is compromised, which is the job of a secure boot chain). The user being in control means that the user can decide who to trust. The user may end up choosing Google, Apple, Microsoft etc. and it's fine as long as they have a choice. Most users won't even be bothered to choose and that's fine too, but with remote attestation, it's not the user who decides even if they want to. And we don't need random developers looking at our devices to consider them trustworthy, it's none of their business and it's a big mistake to let them.
> what you quoted was about the user getting informed whether their system is compromised, which is the job of a secure boot chain
User being informed means they have to know what a compromised system would entail. That alone is a huge and frankly impossible thing to expect from regular people.
> Most users won't even be bothered to choose and that's fine too, but with remote attestation, it's not the user who decides even if they want to.
> And we don't need random developers looking at our devices to consider them trustworthy, it's none of their business and it's a big mistake to let them.
Then you can't demand those developers trust your device.
> That alone is a huge and frankly impossible thing to expect from regular people.
The systems used by regular people could just refuse to boot further when detecting a compromise, so I'm not sure where this comes from. We have prior art for that too. This is still orthogonal to letting users who want to patch things patch them, and not letting the apps verify what environment they run in. It's all compatible with each other, and with both regular and power users.
> Then you can't demand those developers trust your device.
Somehow we could for decades. Whether we'll still be able to in the future depends only on how much noise and friction we'll make about it now.
> This is still orthogonal to letting users who want to patch things patch them, and not letting the apps verify what environment they run in. It's all compatible with each other, and with both regular and power users.
No, they're fundamentally opposed to each other. The entire point is that developers don't want their apps patched by just anyone, especially not malicious actors. Small minority of power users will inevitably get caught in the crossfire.
> Somehow we could for decades. Whether we'll still be able to in the future depends only on how much noise and friction we'll make about it now.
No, you really couldn't. Past lack of technical means doesn't mean anyone trusted your device nor that we had use-cases where this was important. (It was also usually solved with external hardware, physical dongles and whatnot.)
> The entire point is that developers don't want their apps patched
That's exactly what I'm trying to say. The entire point is not to secure the user, it's to secure the apps. It's working against the user's interest, as letting the user lie to apps is essential to user's agency. The technical means used to achieve this could also be used to work for the user and ensure their security without compromising their agency, but that's not what happens on mainstream platforms.
> No, you really couldn't.
Yes, you could. Exactly how you describe, so it was used only where it mattered, and in other cases they just had no choice. Today the friction is so low that even McDonald's app will refuse to work on a device it considers untrustworthy. The user does not benefit from that at all.
App attestation does not stop at legally binding identity software, and legally binding identity software can be serviced without app attestation. I accept not being able to tamper with my ID card, I may say it's "mine" but it ultimately belongs to the government; I don't accept not being able to tamper with my computers, they wouldn't belong to me anymore if that was the case.
> Not that they wouldn't or didn't want to.
Of course, but my devices' purpose isn't to grant wishes to corporations. In the ideal world they would still have no other choice. Unfortunately the more people use platforms that let them attest the execution environment the less leverage we have against them.
> I accept not being able to tamper with my ID card, I may say it's "mine" but it ultimately belongs to the government; I don't accept not being able to tamper with my computers, they wouldn't belong to me anymore if that was the case.
So where does a digital ID card fit in your model? It's the government's but on your computer.
I have a digital ID card on my desk right now. It does not need to be stored on the phone which has all the means necessary to communicate with the card. In fact, if it was in a slightly different form factor I could even put it physically into my phone as it happens to have a built-in smartcard reader, which would still be a more reasonable solution than apps since then it wouldn't be strongly coupled with a complex device that can break or be compromised in various ways (some of which can't be solved with attestation) and would maintain a clear separation between what's mine and what's government's. What exactly would I, as a user, gain by muddling that distinction?
Your link nicely says "as a general rule you can't use values from recent devices due to them only being allowed with full hardware backed attestation". These attestation workarounds have been rendered increasingly obsolete.
Demanding full control over something like an ID will fundamentally not happen. The same way you won't have full control over the way passports or paper bills are made.
Take for example the expectation that some poor fool's ID can't be cloned and reused by malicious actors - full control directly contradicts that. It will not and must not be possible.
We don't need 'full control' over an ID. We need the status quo, where we have mostly have control over our devices, and where paper IDs are still the foundation of society. Things are fine the way they are. There are problems, sure, but no problems that are made better by an all-encompassing surveillance state.
If I am lashing out, it is because this is perhaps the most dangerous thing I've ever seen proposed, and it is deeply distressing how people are sleepwalking into it. To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding. I have lived with privacy, anonymity, and freedom for all of my life. If the future of this world is one where the government and Google have complete control over every single thing you do, I'd rather die having lived a satisfying life than witness the horrors that are to come.
How do you use your paper ID to to prove identity or age or citizenship to someone hundreds of kilometers away whom you are conducting an online transaction with?
> It's not that important to be able to do that. You have been educated to trade your freedom for that kind of convenience, but it is not necessary.
It's important enough that people do so without any eID, using methods both more invasive and less reliable. Gas bills, document photos, having to take videos and pictures of yourself.
Humans have lived in caves and died of preventable diseases, it doesn't mean it's a better way of living.
>To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding.
This is honestly not a good argument - it makes you sound desperate and puts in doubt your mental stability. I don't think you actually have mental problems, I just mean this this kind of argument comes off bad.
Also nobody is forcing anyone to do anything. You don't have to own a digital ID. It just makes things easier, because you can sign things over the internet, or present your phone instead of your plastic ID. Both things already have alternatives (qualified signatures and regular physical ID), so no immediate harm is being done.
Don't get me wrong, I am personally anti bigtech, I try to degoogle as much as possible, and I find the thought of my government coercing me to use google/apple duopoly repulsive. I dislike that, but using phones (instead of for example dedicated hardware) IS pragmatic, and you are not forced to do anything.
For now. In 5 years you will, there is not one doubt in my mind about that. We've been on a slippery slope for (at least) 40 years straight, every year is a loss of privacy rights compared to the last, there is not a single year that reversed the trend, not a single year where we paused and stayed where we were. Once digital ID is implemented everywhere, alternatives will be quickly phased out. It's straight downhill as governments and corporations take more and more advantage of technology to build a degree of surveillance that even dystopian science fiction writers couldn't imagine.
The government, the corporations, the data brokers each individual corp sells your data to to compile a unified profile, and anyone the data brokers are willing to sell to have an unbelievable amount of information on the average citizen. They know where you live, where you are at all times, where you work, every website you visit, every Google search you've ever made, everything you purchase, all of your acquaintances, when and for how long you call those acquaintances, the full contents of any conversations you have with those acquaintances, your interests, your hobbies, your political beliefs.
I have thus far managed, I believe, to avoid the worst of the surveillance, with a tremendous amount of effort and the sacrifice of an unbelievable amount of personal convenience. But every year I find myself losing access to more and more things that I am unable to do without compromising my privacy. If it gets as far as government-mandated Google ID in my country, I think it's completely rational to kill oneself rather than live like cattle. If there were a resistance movement, I would participate in that instead, but this is happening completely voluntarily. You people want this. There is no resistance. Fine, you can have your dystopia. But there is no reason I need to be part of it, and I don't think it's a sign of mental illness to opt out. I don't much believe in living for the sake of living, you should live if it brings you happiness/satisfaction/whatever and don't if it doesn't.
SIM-based solutions are on their way out because phones are starting to lose SIM slots. Certifying eSIM implementations to the same EAL level (as Mobile-ID SIMs are) is way way too difficult. At least for one country doing it alone.
Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).
Agree on Smart-ID but the answer is to fix those flaws, not to replace the entire approach with one that depends on Google Play Integrity verdicts that even the German architects admit they can’t fully trust.
SIM-based solutions on their way out is a non-issue. For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.
I think what happened was that the machine ran out of battery in suspend, but an unclean shutdown shouldn't cause such a deep corruption.
reply