Conversation

Notices

1. Embed this notice
   NeonPurpleStar :heart_bi: (neonpurplestar@outerheaven.club)'s status on Friday, 01-Aug-2025 01:20:08 JST NeonPurpleStar :heart_bi:

   in reply to

   • kravietz 🦇
   • Kalle Kniivilä
   @kravietz @kallekn
   
   if it matters, i do have an /e/os fairphone and banking apps do work
   • Embed this notice
     kravietz 🦇 (kravietz@agora.echelon.pl)'s status on Friday, 01-Aug-2025 01:20:10 JST kravietz 🦇

     in reply to

     • Kalle Kniivilä

     @kallekn

     I think Murena uses MicroG emulation of Google SafetyNet, which enables them to work. But on “raw” LineageOS or GrapheneOS they will most likely not work.

   • Embed this notice
     Kalle Kniivilä (kallekn@mastodonsweden.se)'s status on Friday, 01-Aug-2025 01:20:12 JST Kalle Kniivilä

     in reply to

     • kravietz 🦇

     @kravietz What does it mean that the phone needs to be attested? I am running eOS (Murena) and I have two Swedish e-id apps on my phone, BankID and Freja. They seem to be working just fine.

   • Embed this notice
     kravietz 🦇 (kravietz@agora.echelon.pl)'s status on Friday, 01-Aug-2025 01:20:13 JST kravietz 🦇

     Traditional shitstorm about #Android device attestation in EU Identity Wallet with Age Verification project:

     https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/discussions/19

     Previously, I have commented on the project stating that it’s neither right nor necessary to rely on a single commercial proprietary function (Google Play) for the device attestation and I hold this.

     But in this thread there’s plenty of voices who contest the whole idea of attestation, the argument boiling down to “I own my device and nobody’s going to tell me what to do!!!” which is just as naive as incorrect:

     1. Ownership doesn’t imply 100% control over every single aspect of your hardware. Starting from WiFi hardware enforcing legal transmitting power limits and DFS feature required in your region, because messing with the latter would interfere with tons of other, often safety critical communications, or air traffic safety.
     2. The fact that you own e.g. a car doesn’t mean you are allowed to freely modify its hardware and firmware beyond the legal limits, and this is right because that’s the point where the safety of other road users depends on your brakes, lights etc. So yeah, you can even build your own car from scratch in your garage and control every single bolt in it, but you won’t be allowed to drive it on the public roads - and I’m personally fine with it.
     3. As can be implied from the examples, about the device you own is not always only about you. When you enter mutual legal relationship with another party - be it private individual or the government - both of them want to have assurance about the legal effects of the agreement.
     4. For example, using Polish app mObywatel you can legally sign a binding contract with another private person - and as the other person I don’t want you to sign an intellectual property sale contract with a fake identity from a phone that is really an Android emulator running in China or Russia.
     5. That’s why I, as the other party, I’m interesting in you being forced to use chain of trust as strong as technically as legally possible. If you don’t like it, that’s fine, we can sign the contract in person too.
     6. As far as I’m aware, nobody makes you to “have a phone similar to an ATM”. The argument is that if you want to enter mutually binding legal agreements with assurance higher than today using your phone, then this phone will need to be attested. If you don’t want your phone to be attested, then the status quo remains, you won’t be able to enter these agreements, just like you are today. Sounds fair to me.

     In other words, freedom to tinker - which I generally agree with - ends where other humans are expected to interact and potentially bear consequences of your tinkering.