peppelinux
commented
1 year ago @fmarino-ipzs 's
I think that the wallet provider is only able to attest the TEE capability. The Wallet Solution must ensure that the private keys are securely stored.
Closed peppelinux closed 5 months ago
peppelinux
commented
1 year ago @fmarino-ipzs 's
I think that the wallet provider is only able to attest the TEE capability. The Wallet Solution must ensure that the private keys are securely stored.
balanza
commented
1 year ago The point is on the genuineness of the mobile app. The problem is sociotechnical as it involves legal concerns as well as technical constraints and facilities provided by the Device's OS vendors.
We are investigating possible solutions to that, we'll keep you posted.
asharif1990
commented
1 year ago Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?
grausof
commented
1 year ago Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?
There is an extensive ongoing discussion regarding this matter that requires further attention. Several issues arise, including concerns about privacy, ensuring universal availability of the service to all citizens, as well as the involvement of non-EU services, among others!
asharif1990
commented
1 year ago Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?
There is an extensive ongoing discussion regarding this matter that requires further attention. Several issues arise, including concerns about privacy, ensuring universal availability of the service to all citizens, as well as the involvement of non-EU services, among others!
I see. Concerning privacy, can you elaborate on it (I am curious to know about it)? regarding the availability I agree somehow with it, but if we cannot assume the user has a mobile device with a minimum version of Android/iOS that is needed for the use of these services, we may encounter the same problem for the Secure storage of credentials/keys on the mobile devices as well.
grausof
commented
1 year ago Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?
There is an extensive ongoing discussion regarding this matter that requires further attention. Several issues arise, including concerns about privacy, ensuring universal availability of the service to all citizens, as well as the involvement of non-EU services, among others!
I see. Concerning privacy, can you elaborate on it (I am curious to know about it)? regarding the availability I agree somehow with it, but if we cannot assume the user has a mobile device with a minimum version of Android/iOS that is needed for the use of these services, we may encounter the same problem for the Secure storage of credentials/keys on the mobile devices as well.
It is possible to check the minimum requirements, the problem is to contact non-EU services such as SafetyNet or App Attest Service for apple. The main privacy issue is related to IP addresses
grausof
commented
11 months ago I add that the integrity check can also be used as an authentication system of the Wallet Instance towards the Wallet Provider. This way, issuing n attestation will only happen if the integrity check is passed (preventing anyone from getting attestation outside the app). cc @peppelinux
asharif1990
commented
11 months ago I add that the integrity check can also be used as an authentication system of the Wallet Instance towards the Wallet Provider. This way, issuing n attestation will only happen if the integrity check is passed (preventing anyone from getting attestation outside the app). cc @peppelinux
I would like to recommend the consideration of key attestation beside the integrity check as it provides useful information regarding the type of secure area that the user's phone support + basic cryptographic properties of the attested key. This information would be useful to be returned in the Wallet instance Attestation as mentioned by @peppelinux here.
peppelinux
commented
6 months ago grausof
commented
5 months ago Duplicated of https://github.com/italia/eudi-wallet-it-docs/issues/161 I'll close the issue and let's move the discussion there
_Originally posted by @fmarino-ipzs in https://github.com/italia/eidas-it-wallet-docs/pull/14#discussion_r1244948685_