They might have some great software _somewhere_ but I have yet to see it.
Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.
See also this issue from 2025 where the developers responded: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
AFAICT, there is no mention of an Apple or Google account being required in general - the documentation just lists "signals" that are used to securely authenticate a person - such as Google's/Apple's security ecosystems. I am not sure what this means in practice. Can anybody with deeper understanding explain the actual implications and possible outcomes?
(Note: BMI is the German Federal Ministry for the Interior)
Explanation: https://mastodon.social/@pojntfx/116345725515845020
There is in practice no known way around it for now, and even less so one for regular people, to use this on a device without a Google account
> unknown system image (e.g. custom ROM)
Oh no, what a horrible crime, somebody dared to modify operating system on their own device..
App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed if Play Integrity is used. An alternative option, would be to use the Hardware Attestation API directly, GrapheneOS would be thanking you.
I've spent a good amount of time implementing exactly this type of system for a backup service.
his document specifies a way to cryptographically attest the integrity of a HTTP request hitting a server.
The attestation proves the request came from a device and attest the legitimacy of the bootloader, OS and app.
Google and Apple are in a privileged position to be able to bypass the app attestation though, so depending on the threat model, it's not bulletproof.
edit: Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.
To me, there is no difference between your sentences. You require the blessing of an American company to be able use eIDAS. Google has the power to disable eIDAS at a national scale by making the attestation services treat all devices as not certified.
There should be NO reliance whatsoever on a private company not under the control (direct or indirect) of the government let alone a foreign private company.
Edit: I just noticed your username and the fact that your account is very new. Are you astroturfing?
But in pure technical & UX terms, you don't need to be logged in.
"But in pure technical & UX terms, you don't need to be logged in." this is orthogonal to my point.
I said the title is misleading, which it is.
Your argument that app attestation should be avoided because big tech company can withhold it is garbage. It holds no water. They can cut off access to the app in general by removing it from the app stores and the devices that have it installed.
American big tech has Europe in a stranglehold, I agree with your sentiment there.
eIDAS can be used with the ID reader on Linux even, there's no lock out. They want to offer a convenient alternative for the normies, in a secure manner, I don't mind.
Edit: my 70 y/o mother even eIDAS authenticates (not germany, other EU country) on Linux Mint. There's no argument for lockout in my anecdotal perspective.
App attestation can fail on simulators, Graphene OS, dev builds, I've seen it all. There is one check you can do to see if an app was side loaded, so indirectly, can require Google account.
Title is still misleading though, as it explicitly mentions accounts.
Google details new 24-hour process to sideload unverified Android apps (1196 points, 16 days ago, 1262 comments) https://news.ycombinator.com/item?id=47442690
It's also ridiculous how it seems we've forgotten computers other than smartphones exist and that not everyone even has a smartphone, let alone with an Apple or Google account.
You're linking to a bugtracker. I doubt they're inviting people to spam it with duplicate entries — valid as I think the concern is. But maybe it says somewhere that you can leave feedback here and I just haven't seen it?
From their README:
> We are interested to receive feedback on all aspects described in the document. To provide feedback, please file an Issue on OpenCoDE.
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
This may not be unwelcome for authorities considering the recent extrajudicial “unpersoning” of many political enemies in the EU.
NooneAtAll3•5h ago
ezfe•5h ago
electronic IDentification, Authentication and trust Services
whizzter•5h ago
As an example, an EU citizen working in Sweden should be able to submit Swedish tax forms whilst living here by using a digital identity from the originating nation.
There are also some standards in place like ETSI standardized extensions to PDF signatures so that you can verify that a signature inside the PDF was actually signed by a specific physical person (the standard is there but it's not fully used throughout the EU yet due to some legacies).
Implementation is a bit of a mess still but things are converging.
stefan_•5h ago
- someone sends you a docusign link
- you sign up with your email
- you sign with your name in a cutesy font
Theres a dispute? Well it was going to end up in court no matter how you signed it anyway. This has all the hallmarks of a design by committee project by people whose salary is paid regardless of demonstrating market fit, productivity, usage, plain sensibleness...
bossyTeacher•4h ago
The fact that it's ALWAYS a docusign is the ridiculous part. It is just a glorified where you enter your name and email. No need to pretend otherwise. Any other service would be just as good. This is basic human sheep-like behavior?
martimarkov•4h ago
Can I also send the Docusign document via Signal without Docusign knowing the person who signs it?
Because that is what the eIDAS is supposed to deliver on top of cryptographic validation of signatures.
alfiedotwtf•2h ago
mzajc•5h ago
Slovenia hands out certificates for online government services, including document signing, and it seems to be going fine, with the added benefit that Google can't take away my access.
Maken•4h ago
sfjailbird•4h ago
Eidas tries to harmonize these implementations across EU member states.
whizzter•3h ago
The big question is how to let users properly handle their certificates so they won't get abused into being useless.
If I understood it correctly, the German current Ausweissapp seems to require NFC to read it from your personal id card together with a PIN code you got with the card, it's not entirely user-friendly since aligning the card with your phone seems to be prickly.
Swedish BankID handles it internally in their app (unlocked via PIN's) but they don't have a good way to use it to sign things (It all relies on the infrastructure even if they give out signature documents it's not compatible with pADES).
There's a new govt sponsored one that I assume will piggyback on the personal cards/passes that are readable via NFC.
Norway and Denmark iirc supports proper signatures but I don't think the certificates are under user control (someone correct me if I'm wrong here).
Now these things are mostly issues for document signatures, authentication is often handled via other flows.
What I skimmed from the article, it seems to be more in line with Swedish BankID and is actually fairly smooth for end users even if less secure than what they have now with Ausweissapp.
lucb1e•3h ago
I assume this should be "intra-EU"? I'm not very familiar with eidas so I'm not sure, but afaik it's about signatures within the EU, not between different EUs (as there is only one in this world). (I hate this inter/intra wording, always have to translate it in my head to understand whether it's like internet (between networks) or like intranet (within a network). Would recommend using "within-" instead of intra whenever it's not already a well-established word, like intranet)
whizzter•3h ago
ResearchAtPlay•3h ago
Several paid providers for X.509 certificates exist but document signing certificates cost around 80 € per year [0]. And if I want duplicate X.509 certificates for my redundant Yubikeys then the cost doubles.
Other providers require an initial deposit and then charge per signature [1], which leads to intransparent pricing. In the interest of open commerce, I strongly believe that securely signing an electronic document should cost the same as my manual signature, i.e. nothing.
A partial solution already exists because I can use my electronic ID card with the AusweisApp to prove my identity when interacting with German authorities. This feature is generally useful because I live outside of the EU, but I especially appreciate that I can have my OpenPGP key signed by Governikus (a government provider) to prove the key belongs to my name [2].
Technically, I should be able to use my certified PGP key to sign documents, but in practice most non techies don't know how to validate my signature. For the average user opening my signed PDF in Adobe Reader, I would need an X.509 certificate from a trusted Certificate Authority for users to see the green check mark.
[0] https://shop.certum.eu/documentsigning-certifcates.html
[1] https://www.entrust.com/products/electronic-digital-signing
[2] https://pgp.governikus.de/wizard/requirements