[runako]

> If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server,

amplifying your point, there is effectively no way for the layperson to make this distinction. And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire.

[XorNot]

This is a fairly weak argument though: the layperson also cannot verify the software updates we push to their phone/computer or any number of other critical devices in the chain.

All of this is reputation management: if technical experts broadly agree the system does what it says, then all of us have to accept that in aggregate that's probably good enough and significantly better then many other areas.

[donmcronald]

> And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire.

Devices are built from the ground up to prevent even sophisticated users from tapping them to verify we aren't being lied to. The average person thinks that "hackers" will mobilize if things get too bad and they're completely wrong.

Tamper proof, encrypted chains of trust start from the second a device gets power and it's infecting everything from appliances to phones to computers. Get ready for a future where your rented toaster has parts serialization that can't be bypassed.

[ori_b]

Oh -- how do I ensure that the device is running only the software I installed, with exactly the patches I added, rather than a possibly malicious vendor -- for example, if the local government of the country I'm visiting has a court order for phone vendors to silently backdoor phones, it would be nice to know that only the software I personally signed is running.

As someone that patches their OS on the regular, this would be pretty interesting.