alt Hacker News> Why was this decision ever made?
because it wasn't made
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
Replies
> having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
How do you figure? Isn't just having the digital ID be signed by a key belonging to the issuer good enough for that?
If something is actually important, don't put it on a computer. Don't let a computer be in the critical path of anything that actually matters. It's really quite simple. Even before "AI" this technology was not reliable enough for serious, important things--systems that need to be maintainable in adverse conditions (battle damage, etc), systems where failure is not an option (proving your identity, proving your children are yours, ...). If you care about your car, truck, tractor, or dozer being maintainable and reliable, don't get one with a computer in it. Until we can figure out how to make these things reliable and maintainable they're not to be trusted.
Can you show an example of defeating hardware attestation? It would be useful for many 3rd party ROM users.
Have you seen our President? Minor conveniences are what trigger him into launching full blown DOJ investigations, wars, and economic disaster. If he realizes he can just "turn off" the EU, oh, he will threaten that on Truth Social tonight in a rant about how they should make a deal or else.