Hacker News

German implementation of eIDAS will require an Apple/Google account to function

37 points by DyslexicAtheist 3 hours ago | 29 comments

cebert 57 seconds ago

I am shocked that there isn’t more opposition from the general public to policies like this that erode privacy and freedom. I am a parent and can appreciate the need to control what children do on the internet, but at some point parents need to parent. I fear we’re giving up a lot of freedom and adding unneeded complexity under the guise of keeping children safe.

AlBugdy 15 minutes ago

All these requirements for specific hardware and software are ridiculous. Let every citizen use whatever computer they want. It should be up to the user to secure themselves. Authentication should only require a password or a key pair. If the user wants more security, they can set up TOTP or buy a security dongle or something.

It's also ridiculous how it seems we've forgotten computers other than smartphones exist and that not everyone even has a smartphone, let alone with an Apple or Google account.

raphman 2 hours ago

Mastodon thread on this topic: https://mastodon.social/@pojntfx/116345677794218793

See also this issue from 2025 where the developers responded: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...

AFAICT, there is no mention of an Apple or Google account being required in general - the documentation just lists "signals" that are used to securely authenticate a person - such as Google's/Apple's security ecosystems. I am not sure what this means in practice. Can anybody with deeper understanding explain the actual implications and possible outcomes?

(Note: BMI is the German Federal Ministry for the Interior)

lta 2 hours ago

That sounds like a very smart move at the time where Europe realize the US isn't such a gray partner and it's trying to reduce it's critical dependencies on foreign nations tech and infra. Good job. I'm actually very surprised to see this from the germans who have this reputation of great engineering culture

iknowstuff 55 minutes ago

Not in software. German software is awful. Think german cars, banks, telecoms etc

newsicanuse 36 minutes ago

While I agree, it'd be hard to say that SAP is not good

zelphirkalt 6 minutes ago

SAP software is the bane of most people, who have to use it, except for expensive consultants, who make bank preying on hapless clueless companies opting to use SAP software.

fmajid 53 minutes ago

Ah yes, the fabulous car engineering of Dieselgate.

livvy 2 hours ago

Can anyone point me to where in the MDVN page it mentions requiring Apple and Google account? Thanks

weikju 2 hours ago

Because the attestations will only work on iOS and Google Play integrity attested devices. Meaning Apple and Google accounts required.

livvy 42 minutes ago

This is an assumption, but not confirmed.

AppAttestationz 32 minutes ago

I spent months designing a system, exactly like this. An account is not needed, at least for Apple.

Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.

jml7c5 2 hours ago

Is the link broken for anyone else? I'm getting ERR_CONNECTION_CLOSED.

zb3 45 minutes ago

> threats:

> unknown system image (e.g. custom ROM)

Oh no, what a horrible crime, somebody dared to modify operating system on their own device..

NooneAtAll3 2 hours ago

what's eIDAS?

whizzter 2 hours ago

EU digital identity law to make inter-EU signatures (And authentication) work.

As an example, an EU citizen working in Sweden should be able to submit Swedish tax forms whilst living here by using a digital identity from the originating nation.

There are also some standards in place like ETSI standardized extensions to PDF signatures so that you can verify that a signature inside the PDF was actually signed by a specific physical person (the standard is there but it's not fully used throughout the EU yet due to some legacies).

Implementation is a bit of a mess still but things are converging.

mzajc 2 hours ago

Is there a reason this user-hostile mess is preferred over an X.509 certificate (besides big tech lobbying)?

Slovenia hands out certificates for online government services, including document signing, and it seems to be going fine, with the added benefit that Google can't take away my access.

sfjailbird 11 minutes ago

Most people wouldn't know what to do with a certificate, so governments build some stuff on top (like an official mobile app) which makes auth easier. It's usually just certificates underneath (not exposed to the user).

Eidas tries to harmonize these implementations across EU member states.

Maken 31 minutes ago

eIDAS is about making the electronic IDs emitted by the different EU governments intercompatible, so you can use a Slovenian certificate to authenticate into the German tax system, if you want to.

stefan_ 2 hours ago

The gold standard for digital signatures today is

- someone sends you a docusign link

- you sign up with your email

- you sign with your name in a cutesy font

Theres a dispute? Well it was going to end up in court no matter how you signed it anyway. This has all the hallmarks of a design by committee project by people whose salary is paid regardless of demonstrating market fit, productivity, usage, plain sensibleness...

martimarkov 22 minutes ago

Can I use Docusign to provide my identity in Estonia online via my phone when I move there to buy a SIM card or open a bank account or file a document with the local authority?

Can I also send the Docusign document via Signal without Docusign knowing the person who signs it?

Because that is what the eIDAS is supposed to deliver on top of cryptographic validation of signatures.

bossyTeacher 31 minutes ago

> Theres a dispute? Well it was going to end up in court no matter how you signed it anyway.

The fact that it's ALWAYS a docusign is the ridiculous part. It is just a glorified where you enter your name and email. No need to pretend otherwise. Any other service would be just as good. This is basic human sheep-like behavior?

ezfe 2 hours ago

https://en.wikipedia.org/wiki/EIDAS

electronic IDentification, Authentication and trust Services

stefan_ 2 hours ago

So what was the point of putting a crypto chip into every ID if you are gonna try and reinvent the entire trusted environment in the fucking smartphone?

AppAttestationz 39 minutes ago

The title is misleading.

App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed if Play Integrity is used. An alternative option, would be to use the Hardware Attestation API directly, GrapheneOS would be thanking you.

I've spent a good amount of time implementing exactly this type of system for a backup service.

his document specifies a way to cryptographically attest the integrity of a HTTP request hitting a server.

The attestation proves the request came from a device and attest the legitimacy of the bootloader, OS and app.

Google and Apple are in a privileged position to be able to bypass the app attestation though, so depending on the threat model, it's not bulletproof.

edit: Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.

bossyTeacher 36 minutes ago

> App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed.

To me, there is no difference between your sentences. You require the blessing of an American company to be able use eIDAS. Google has the power to disable eIDAS at a national scale by making the attestation services treat all devices as not certified.

There should be NO reliance whatsoever on a private company not under the control (direct or indirect) of the government let alone a foreign private company.

Edit: I just noticed your username and the fact that your account is very new. Are you astroturfing?

AppAttestationz 13 minutes ago

I made an account because I'm qualified to talk about this topic :-) I've spent a considerable time testing every corner case of UX, and DX of an app attested service.

App attestation can fail on simulators, Graphene OS, dev builds, I've seen it all. There is one check you can do to see if an app was side loaded, so indirectly, can require Google account.

Title is still misleading though, as it explicitly mentions accounts.

AppAttestationz 28 minutes ago

I agree, there is still a reliance on the tech giants that produce the phones, who are the o'es embedding the cryptographic keys, to make this end to end attestation work.

But in pure technical & UX terms, you don't need to be logged in.

bossyTeacher 12 minutes ago

Can provide some proof that you are not a bot?

"But in pure technical & UX terms, you don't need to be logged in." this is orthogonal to my point.