upvote

points

by kodebach12 hours ago |
comments
upvoteby notpushkin12 hours ago|
next
[-]
> You could run a modified client that lets you assume any identity you choose

Provided you know the secret key to a government-issued certificate. Making it impossible to copy said certificate is not really a requirement for identity verification.

reply
upvoteby subscribed6 hours ago|
parent|
[-]
Some countries fixed it already, see Estonian ir Polish IDs with digital layer (performing signing, authentication, etc), and the devices only acting as untrusted interfaces to these.
reply
upvoteby subscribed6 hours ago|
prev|
next
[-]
But you can run modified client already.

Rooted, wildly insecure devices can pass the attestation easily: https://magisk.dev/modules/play-integrity-fix-inject/

Safe, updated devices cannot unless they permit Google to run their surveillance services in the privileged, unconstrained mode.

reply
upvoteby pwlb2 hours ago|
parent|
[-]
The documentation actually reveals why this will most likely not work, given you are on expert on mobile security
reply
upvoteby sam_lowry_11 hours ago|
prev|
next
[-]
Who wrote that law and why, this is the question.

I think we need some fingerpointing that EU officials strive to avoid.

reply
upvoteby kro11 hours ago|
prev|
[-]
It will likely display something like a QR Code with signature anyways, otherwise it's just a glorified passport picture?

Authorities/anyone could verify that it's not counterfeit. And photo should be checked anyways to match the person.

So I also don't see the need for attestation. For ID check it should be ok without. For signing stuff ofc it is not resistant to copying. But EID smartcard function already exists.

reply