Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).
SIM-based solutions on their way out is a non-issue. For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.
Fundamentally can't be, it'd be a whole new solution.
> For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.
Mandate every phone vendor to EAL4(+) certify their eSIMs? I'd love to see that, but I'm not sure that's a viable approach to take.
Plus, the process is something like:
- we want to do $something
- hire consultants to help us define $something and produce a document
- hire other consultants to write the specs for the project
- launch an RFP
- select a winner
- wait for the implementation to finish
All the proposed solutions will be something paid, ideally made by a really large company to lend it credibility, and with maintenance costs that justify hiring dedicated people for it.
In the end no one gets what they want.
You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?
Yes.
> You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?
Using the Estonian system would be vastly preferable.
If politics doesn’t allow that, the political environment is broken.
Instead they could have mandated the use of eIDAS 1 to all countries + extend it with attribute/credential support, and let countries choose their implementation (cards, SIM, server-side).
Instead we’re back to the drawing board with the big shortcomings highlighted in this thread.