Not true. The device's public key is also sent, which functions as a stable device identifier.

We've spent years trying to get away from stable tracking IDs and fingerprinting. Returning to a system where devices are sending a stable ID to a website to prove ownership is a step backward.

There are proposed mitigations like issuing multiple sets of credentials or rotating them, but we're not going to get an infinite number of keypairs for every website or session in the secure enclave in practice.

Another reason why these proposals aren't getting much uptake is that they aren't addressing what the lawmakers are pursuing: They don't want anonymous authorization tied to the device. They want IDs tied to accounts and a way to discourage people from sharing IDs. In the anonymous systems it only takes one person a few minutes to put an over-18 identity into a device and there's no way to determine if someone is abusing the system by stealing IDs or if someone's 18 year old brother is setting up all of their younger brothers' phones for $5 each.

The situation gets stickier when you acknowledge that it's not possible to limit all of these websites to only mobile phone devices with secure enclaves that are not jailbroken. Once you open a door to desktop devices and other OSes accessing these sites, you open the door to replaying and proxying attacks, where someone will produce those `over_18` attestations on-demand for you, possibly for a minimal price. This brings us back to the public stable identifier to discourage fraud, which means governments won't be happy to issue as many keypairs as we want, which means we're back to semi-stable fingerprints.

Personally - this is less acceptable to me than just having the site collect my image/id.

I'd support just putting the id in a dedicated device (ex - gov issues smart key) or just accepting that sometimes people will share id info (just like... physical ids).

It doesn't even close all the doors to transferring ids - since I can still just hand someone a phone (just like... physical ids).

Yeah, and no Linux PCs, no custom builds of web browsers (which would effectively become open source in theory only)—basically the end of any kind of open platform. I would much rather just scan my ID!

IMO, there are two other issues that need to be solved. The major one is that there should be some way to do attestation of devices that are not Google-certified Android or iOS. If this does not happen, the smartphone duopoly is permanently entrenched and not a fair/free market anymore. There is no way to use a smartphone without basically losing your privacy to Google/Apple and given the increasing importance of online services it's becoming increasingly impossible to live without a smartphone.

It was very disheartening that the EU reference implementation was rolled out with only Play Integrity and Apple's counterpart. IMO, this should have been solved before the reference implementation was rolled out to member countries, because many of them won't bother to go beyond that [1]. It is also completely counterproductive when it comes to EU tech sovereignty. There is a group of pioneers that are growing the sovereign ecosystems and then you cut them off.

The second, perhaps lesser, problem is that the security story is not super strong, because most Android phones do not even have a secure enclave (outside Pixel and Samsung flagships/A5x, there are very few). Instead they rely on TrustZone etc. which are regularly targeted by side-channel attacks, etc. Ironically, GrapheneOS is cut off from most of these systems (because Google Play Integrity), while it actually requires a secure enclave and is more secure than... well I guess every other smartphone.

[1] There is some hope, e.g. the developers of the Dutch identity wallet acknowledge the issue and are open to supporting alternative systems.

I have to mention that EUID is not private, since there's "provider" element which informs website if you are 18 or not. The flow is:

1) You scan QR code 2) Your EUDI wallet does verification, informs provider to tell you are 18+ 3) Provider informs website you are 18+

The EUID draft doesnt mention tech like ohttp for anonymizing requests. So there's risk of provider keeping track of who you are. So while everybody claims its fully anonymous which is just false. Government could ask website/service for the token or account information then use timestamp or token then combining with "provider" logs, your identity will be exposed.

EUID has another problem which is letting all countries implement system, which is wasteful duplication effort so this probably will be outsourced and to same company to reduce duplication efforts. Then it'll be centralized and they happen be collecting telemetry data for "experience improvements" as everysite out there do.

I haven't even mentioned biggest problems like requiring attestation Apple/Google. While spec doesn't require it, but the likehood country's app requiring it will be very high.

This is completely unacceptable. In practice, this solution means a locked down device, probably controlled by Google or Apple.

The Internet has existed without identity or age verification for more than 30 years, and there is no reason to change that.

the very first line, government issued digital id - we have been avoiding that for a very long time

how does this work on an open source operating system?

“You must be this tall to ride this ride”

“ you must be 18 to own an iPhone 18+ “

I apologize for the drive-by question, and I appreciate your takes!

Do regular desktop and laptop computers have the same secure enclave feature?

So people in dubious legal circumstances are locked out the internet?

And there it is.