Hacker News new | ask | show | jobs
by kodebach 68 days ago
Simply because the law was written that way. But also the whole idea of identity verification becomes pretty useless, if there is no chain of trust. You could run a modified client that lets you assume any identity you choose, exactly the opposite of what eIDAS is trying to achieve.
4 comments
notpushkin 68 days ago
> You could run a modified client that lets you assume any identity you choose

Provided you know the secret key to a government-issued certificate. Making it impossible to copy said certificate is not really a requirement for identity verification.

link
subscribed 68 days ago
Some countries fixed it already, see Estonian ir Polish IDs with digital layer (performing signing, authentication, etc), and the devices only acting as untrusted interfaces to these.
link
notpushkin 67 days ago
It’s still impossible to extract an Estonian certificate from the smart card (or Mobiil-ID/Smart-ID), no?
link
subscribed 67 days ago
I believe do, I didn't see a successful attack yet.
link
subscribed 68 days ago
But you can run modified client already.

Rooted, wildly insecure devices can pass the attestation easily: https://magisk.dev/modules/play-integrity-fix-inject/

Safe, updated devices cannot unless they permit Google to run their surveillance services in the privileged, unconstrained mode.

link
pwlb 67 days ago
The documentation actually reveals why this will most likely not work, given you are on expert on mobile security
link
subscribed 67 days ago
Oh, you don't say. The above was a link to the source module, but ad with magisk there are many ways to peel the potato.

I've see countless users confirming it works for them, for example by using this workflow: https://magiskzip.com/how-to-pass-integrity-with-strong-chec...

But as an expert on the mobile security you can assure us its not possible to spoof Google play integrity pass with Magisk - am I right?

link
sam_lowry_ 68 days ago
Who wrote that law and why, this is the question.

I think we need some fingerpointing that EU officials strive to avoid.

link
kro 68 days ago
It will likely display something like a QR Code with signature anyways, otherwise it's just a glorified passport picture?

Authorities/anyone could verify that it's not counterfeit. And photo should be checked anyways to match the person.

So I also don't see the need for attestation. For ID check it should be ok without. For signing stuff ofc it is not resistant to copying. But EID smartcard function already exists.

link