Here are my sources:
-
pluralistic.net/2025/08/14/bellovin/ (I don’t agree with every bit of that article.)
In practice, the security and privacy guarantees of the CL protocol require two different kinds of wholly independent institutions: identity providers (who verify your documents), and certificate authorities (who issue cryptographic certificates based on those documents). If these two functions take place under one roof, the privacy guarantees of the system immediately evaporate.
(“CL” seems to refer to a common zero knowledge proof algorithm.)
-
github.com/…/architecture-and-technical-specifica…
Technical Requirements: An Age Verification App shall support the following: […] Request from the operating system a tamper-evident attestation of AVI properties
(As far as I know, they mean device attestation with this where you no longer own your device.)
-
github.com/eu-digital-identity-wallet/…/20
The EUDI Wallet team is participating in a wider, EU-wide collective sleepwalk into a serious trap: You, along with the entire EU Digital-Identity movement, are hard-wiring the EU’s civic governance to Apple and Google’s hardware and software stack.
-
github.com/eu-digital-identity-wallet/…/15
Requires accepting “Terms of Service” to access basic functions of being a citizen. Your demo video shows you requiring accepting “Terms of Service” and “Data Protection Information” which I guess should really be “Privacy Policy”.
What are your sources?
bekopharm@discuss.tchncs.de 2 weeks ago
The source is the technical spec. Read this yourself more closely!
And let’s not ignore the demo part:
And yes it is good that people watch this carefully (and voice their concerns in a civil matter, which does not seem to be the case with most heated comments from your examples). But!
This is the very same with e.g. Let’s Encrypt. Or a VPN ‘service’. Or CloudFlare, that so many people love to hide behind.
What ifs. The spec does explicitly not allow exactly this and it’s our job to investigate such providers closely and in doubt start and run trustworthy providers ourselves. And Let’s Encrypt is again a prime example for something like this.
Oh and no nothing in the spec nails this down to Google or Apple alone. These are examples for smartphones for existing eco systems. I do not need a smartphone for e.g. AusweisApp and I will ask the same for E-Wallet because this is also in the specs (Interoperability) and explicitly not tied to some vendor specific eco system but to protocols and cyphers.
And this is where the next FUD may come in: TPM[1]. This does [also] exactly this: Device attestation and is a perfect candidate for regular PCs. That’s probably just the next can of worms for you though and with this I’ll end this discussion because even with plenty of What Ifs I do not see this solved from anyone in any better way - and again especially not from some company like Dis-fuckin-cord. This is exactly what a GOV exists for and they’d be sleeping on their job not providing digital ways for this very use-case.
[1] And just so that you may understand my POV on this: I demonstrated against TCPA back in the days. I can accept TPM tho. It’s a rather useful compromise and something similar exists for most smartphone ALSO. That is a good thing because this is responsible for keeping e.g. password wallets private. Something the “oh noes, Windows requires TPM now” crowd never understood - and this is from a die hard Linux user for decades.
ell1e@leminal.space 2 weeks ago
I disagree TPM is a good candidate.