[nip]

In light of all of these shortcomings with platform attestation, why go with the eIDAS 2 wallet approach at all? eIDAS 1 already solved this with Mobile-ID (SIM-based, no Google/Apple dependency) and Smart-ID (server-side key management with minimal platform reliance). What does the wallet model give you that justifies this level of dependency on two American corporations’ proprietary backends?

Especially considering that mobile-ID has been around since 2007.

[Avamander]

SIM-based solutions are on their way out because phones are starting to lose SIM slots. Certifying eSIM implementations to the same EAL level (as Mobile-ID SIMs are) is way way too difficult. At least for one country doing it alone.

Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).

[nip]

Agree on Smart-ID but the answer is to fix those flaws, not to replace the entire approach with one that depends on Google Play Integrity verdicts that even the German architects admit they can’t fully trust.

SIM-based solutions on their way out is a non-issue. For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.

[Avamander]

> Agree on Smart-ID but the answer is to fix those flaws

Fundamentally can't be, it'd be a whole new solution.

> For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.

Mandate every phone vendor to EAL4(+) certify their eSIMs? I'd love to see that, but I'm not sure that's a viable approach to take.

[nip]

I’m sorry to lash out at you but I keep getting disappointed in European countries (more precisely the ever disappointing EU commission) all suffering of the NIH syndrome instead of collaborating and learning from each other

[ExoticPearTree]

There is mothing to be gained politically by doing this. You think you look good if you say “hey, the Poles had this really good idea, how about we do the same”?

Plus, the process is something like:

- we want to do $something

- hire consultants to help us define $something and produce a document

- hire other consultants to write the specs for the project

- launch an RFP

- select a winner

- wait for the implementation to finish

All the proposed solutions will be something paid, ideally made by a really large company to lend it credibility, and with maintenance costs that justify hiring dedicated people for it.

In the end no one gets what they want.

You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?

[jen20]

> You think you look good if you say “hey, the Poles had this really good idea, how about we do the same”?

Yes.

> You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?

Using the Estonian system would be vastly preferable.

If politics doesn’t allow that, the political environment is broken.

[grundrausch3n]

How is the Estonian system now? I remember when I visited around 2010 our host just had a quite simple smart card reader and could just use it to sign in to government services with their ID and as far as I remember even sign mails and documents. Germany of course could not use normal smart cards but had to use NFC cards with special readers and made the signing feature and additional service you had to pay for on a yearly basis. Of course the Germans system did not went anywhere for years. I do have a reader now and can use it for some governmental services and have very limited appetite to bind the ID to my phone.

[pas]

Ukraine also seems to have solved this pretty well. NFC in the plastic card, selfie video confirmation, etc.

Hungary is also rolling out a "digital citizenship" app. (Also can be bootstrapped via newer plastic cards, so no need to visit the government office.)

[pwlb]

EIDAS 2 motivation is implicitly that eID failed in eIDAS 1. It simply either didn't take off or didn't work at all

[EmbarrassedHelp]

They are also trying to shoehorn in age verification with it.

[mytailorisrich]

Isn't the eIDAS 2 wallet approach a legal requirement of eIDAS 2 (which is an EU regulation, i.e. the law).

[nip]

It is, mandated by the EU commission.

Instead they could have mandated the use of eIDAS 1 to all countries + extend it with attribute/credential support, and let countries choose their implementation (cards, SIM, server-side).

Instead we’re back to the drawing board with the big shortcomings highlighted in this thread.

[mytailorisrich]

Oh OK, I understand your point now.