Kinda, yes.

(slightly simplifying the mechanism here)

This seems to be based on the EU Wallet project, which is still work in progress. The EU wallet is based on OpenID (oidc4vci, oidc4vp). The wallet allows for selective disclosure of attributes. These attributes are signed by a issuing party (i.e. the government of a EU country). That way a RP (relying party) can verify that the data in the claim (e.g. this user is 18+) is valid.

However, this alone is not enough, because it could be a copy of that data. You can just query a wallet for that attribute, store it and replay it to some other website. This is obviously not wanted.

So the wallet also has a mechanism to bind the credential to a specific device. When issuing a credential the wallet provides a public key plus a proof of possession of the associated private key (e.g. a signature over an issuer-provided nonce) to the issuer. The issuer then includes that public key in the signed part of the credential. When the RP verifies the credential it also asks the wallet to sign part of the response using the private key associated with that public key. This is supposed to prove that the credential was sent by the device it was issued to.

Now this is where the draconian device requirements come in: the wallet is supposed to securely store the private key associated with the credential. For example in a Secure Enclave on the device. The big flaw here is that none of this binding stuff works if you can somehow get access to the private key, e.g. on a rooted phone if the wallet doesn't use a secure enclave or with a modified wallet app that doesn't use a secure enclave to store the private key. You could ask a friend who is 18+ to request the credential, copy it to your phone and use that to log in.

Is the EU essentially foisting a someone-else-owns-your-keys regime onto their citizens?

Without the wallet, you'll be forced to jump through the same hoops as you're doing right now. Depending on what EU country you live in, that can be anything between "no real difference" to "making an appointment to exchange stamps on documents".

Or which hoops you mean we have to currently jump through to access 12/14/16/18+ sites

Of course, once upon a time JavaScript was optional, and now it feels like half the web won't work without it. Cookies were optional but now many sites don't even bother with a "Reject All" choice. Google Play was optional on Android, now banking apps don't work without it.

Tried to do KYC with an institution in North America lately? They used to allow diverse options - eg. physically present yourself, get a notary to attest, upload signed documents & ID - but now app-based applets which offer little to no visibility into just what data they're hoovering up from your phone and no way to manually review what you're sending before submission (...to outsourced or even offshore processors) have displaced most of those alternatives due to their convenience (especially to those who don't care about privacy) and cost competitiveness (to the service providers). Filling out customs declarations when traveling is going the same way (with longer, more customer-hostile terms of service and privacy policies than came attached to the old paper forms).

The option that's most convenient to the masses tends to become defacto, and push out the last bastions of safe alternatives relied on by nerds like me - who pay attention to this stuff and try to advocate for user agency, data sovereignty for users, and the means to maintain a healthy privacy and security posture.

I would love to see some kind of attestable flavour of Android that I as a user control the keys to (in my own case I'd even be willing to provide assurances backed up by insurance, a bond, my reputation, repudiation to some degree of vendor liability if things go wrong, etc) with tooling to help me achieve a high level of security in a low-friction manner.

The idea is that once you get used to that, you will get censored from all the internet.

> Is the EU essentially foisting a someone-else-owns-your-keys regime onto their citizens?

Not quite, it's the EU essentially foisting a don't-use-free-software regime onto their citizens

Oh no! Imagine you find a willing adult who does the verification on your phone. The whole system is moot!

Don't need "copy" here for that. They can just do the verification on your device without any technical tricks

Yeah. that's where this system fails. It only stores a single attribute that you wouldn't mind putting on someone else's phone. In the full EU wallet the 'over 18' attribute is part of a larger set of credentials that is basically your entire digital ID. If you were to put that on someone else's phone they would be able to identify as you to numerous government and adjacent services. You'd be a fool to share that.

This whole scheme feels a bit rushed and not thought through.

And then the IDP gives you "yes the user with nonce 123456 is 18" signed with its private key, which you forward to the RP.

The only data "leaked" would be which IDP you used to the RP, and that there was an 18+ verification request to the IDP. The IDP wouldn't need to know which RP they're signing the proof for.

This does allow proxying the requests, but honestly, how locked down does this need to be? It's far easier to just snatch your parent's drivers license or passport at that point.

Uh, replay attacks are a solved problem in pretty much any industry standard challenge-response authentication, including OpenID. Am I missing something?

It does seem like people tried very hard to make it privacy preserving.

Instead, they're trying to shoehorn your device into providing the same safety level and, in doing so, making it by design impossible for you to control your own device. Obviously if the sites trust a device that you control, you can make it tell them anything. The ideological part is that it's not your device anymore then and imo we should oppose that. The technical solution is to use the hardware security chip you already have with a reading mechanism that (nearly?) every smartphone already has and even works on any OS that can run a USB NFC reader. It could be an entirely open standard

I'm sorry but that cure is definitely worse than the disease. This is not an attack you see outside of spy movies

Basically on such a system you can potentially manipulate the process. Here that would probably be to install the credentials of someone else on the device.

So they want a locked down OS environment where user does not have root privileges and software has to be verified (in this case by Google) to be installed.

None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.

The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.

It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.

The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.

But even if you were to want user's phones to be roots of trust...

> as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining

GrapheneOS does that. They guarantee this more than Google because Google allows devices with known vulnerabilities: https://grapheneos.social/@GrapheneOS/114864326550572663 (rest of the thread is worth reading, too)

Using Google Play's instead of Android's attestation framework means that nobody else ever could enter this market indeed, no matter how secure the OS

... unless they don't want to turn their device into a boat anchor that nothing else will talk to. It's not going to stop with age verification.

Counterproposal: fuck attestation, and fuck age verification. Individual users, not corporations, associations, or organizations, get to use any goddamned software they want any time they want for any purpose they want, and if you set up some system that can't deal with that, tough beans for you.

Smartcards also seem to have the ability to issue certificate requests. I think the keys inside the cards are signed by a manufacturer trust chain (I got a gemalto card to play with for signatures and places like IdenTrust were able to verify authentic cards, but I wasn't trying to fool anything so it may be possible... but they would only issue certain levels of keys for specific cards)

I'm not saying you are wrong (I don't know enough about the details) but it all was much more sophisticated than I had thought and the chips seem to be running some sort of attestation of the chip in the card. Basically, you can't MITM things if doing so requires getting a private key that only exists in the factory. That sort of thing.

The question is how do you convince other people to trust your phone to store their secrets--not how do you yourself come to trust your own device to store your own secrets. And if you can't convince others your device is secure (i.e. "why the hell would I trust you and your phone to store my password?"), then just use something they can trust instead. I'm not saying EU is going to allow whatever, I'm just saying it's not a huge technical or usability problem to rely on something the EU should be able to trust (like a yubikey) if the EU can't trust your phone.

They’re not concerned about a person handing their phone to someone else for a moment. They’re concerned about kids stealing age verification devices from people. Someone isn’t going to notice a missing yubikey until they check age next. Someone is going to miss their phone much more rapidly, be able to track it using stolen device features, and be able to report it stolen which incidentally remote kills HSM access. They can also enforce biometric checks and require a recertification after those change, which would make it nearly impossible — relative to shoulder surfing a PIN — for kids to make use of the parental device unit.

Even a fingerprint key isn’t going to meet these terms, and it’s going to have a weaker sensor that the kid will have hours or days or weeks to try and defeat using a fingerprinted glass and some glue. Locking it to biometrics stored in the phone prior to (re)certification makes it pointless for kids to try. A few still will, but word will spread.

I still personally think this is all kind of a hot mess of deferring parental authority to technology, but I’m not an EU citizen, nor a parent, so my opinion on the policy is irrelevant. I’m just here to raise awareness of why attestation is winning: technological superiority and unmatchable market fit, and an opposition that isn’t presenting coherent and most especially government-persuasive arguments to stop its use. Yubikeys are not a viable market fit in a world where tiny amoral thieves live among us — and whatever else children are to their parents, most of them have the moral integrity of a wet paper towel. Most wouldn’t think twice about lifting a yubikey, but they’ll hesitate strongly before stealing a parent’s phone, and it won’t even pay off doing so thanks to biometrics.

Intercepting the USB reader traffic to feed the computer a different card is about the most roundabout way of achieving that

This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.

> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.

I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.

Governments have real and serious need for verifications that are backed by their force. They’re a government; they are wielding force upon citizens by doing this, knowingly and intentionally. That is a normal and widespread purpose of the State existing at all: to compel people to align with the goals of the State, whether members of the State like it or not, until such time as the State’s goals are changed by whatever means it permits or by its collapse.

If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.

Western sfbay-style tech was founded on the libertarian principle that one should be able to tell the government to fuck off and deny taxation, representation, blah blah etc. in favor of one’s armed enclave that does what it feels like. It’s fine to desire that, but it’s proven too radical to be compatible with the needs of nation-states or the needs they enforce satisfactions for on behalf of their citizens. Attacking attestation won’t solve the problem of the “State”, and has led us to a point where Google can claim truthfully to a “State” that the Android forks ecosystem isn’t competent enough to be trusted, because they can’t be bother to do attestations.

we've banned all graphic depictions from the internet, required a verified name attached to every blog post, and made sure to confirm everyone's digital passport before letting them resolve a DNS query, but at least now I can vote from me phone instead of having to go outside. The future is bright!

GrapheneOS has optional attestation, either local (another device) or remote (their server) attestation.