EU Digital Identity Reform: The Good, Bad and Ugly in the EIDAS Regulation

To everyone from the previous discussion who was absolutely certain everything is agreed and set in stone: that&#x27;s not how the EU works. There have been multiple changes since Mozilla&#x27;s public letter, and there is still at least one trilogues meeting and then the council and parliament votes, so things can still evolve.<p>That being said, the law is pretty good and will be a net benefit even in it&#x27;s current state. The Wallet being opt in, without any discrimination possible based on it, the obvious downsides in the lack of strict controls on how user history is handled by member states (unobservability was never on the cards), and also an European appeals process if the local authority is slacking off (cough Ireland cough).<p>I&#x27;m looking forward to having secure reliable EU wide electronic ID. I&#x27;m sick of having to upload or send by email&#x2F;old mail random scans to prove identity, or to have to pay to a cartel of private electronic signature providers. A 21st century solution is well appreciated.

Its remarkable that citizens from mostly the US and UK think this is horrible, while most citizens from western Europe actually already deal with these systems on a national level - so it isn&#x27;t anything new.<p>Similar to how bank transactions have been instant in Europe for more than two decades, but are still a novelty in the US. Or pre-filled tax forms.<p>This regulation should be seen in the context of the pre-existing systems which it builds on, towards a common European standard. An obvious criticism is that this centralizes power, but that is fundamentally rooted in the assumption that the EU is similar to the US: It&#x27;s not.<p>In the EU the component States are very influential, they have formal or &#x27;soft&#x27; veto&#x27;s on practical all matters. There are no EU presential elections. The EU &#x27;government&#x27; is run by appointees nominated by the States. Its much more like the US Confederacy. (pre- federation, long before civil war, not that confederacy)

&gt; The Wallet will have a full transaction history of every request for information the user ever received […]<p>This sounds good because it allows you to audit who received your personal information, but it also provides a nice breadcrumb that allows attackers to figure out your behavioral patterns. I wish it became more common for information to self-destruct, we don&#x27;t need logs of everything forever.

I’ve been using one of these id wallets since a few years (itsme) and it’s been a huge quality of life improvement. I don’t have to create accounts, passwords, etc; I just login to the websites, it’s like a global single sign on.<p>While the fact that it’s done under my verified real name and address could be a privacy issue in some cases, it’s also a big security improvement for all the cases where the third party need that info anyway.

&gt; every web browser in the world will be forced to trust the root certificates from all European Trust Service Providers<p>What I could never understand is why limiting the scope of root certificates is not a standard feature? Why cannot I set a whitelist of domains for the specific root certificate and expect the connection to fail when this root is used for anything else?

&gt; <i>The final text of the eIDAS regulation counters this with a right to pseudonymity[: i]t allows users to use a pseudonym generated by the Wallet and that is only stored locally</i><p>In which scenarios could it happen that for pseudonymity, for the purpose of anonymity, one should resort to a pseudo-identity generated by the certificate for the actual identity?

Has there been any talk about implementation details? What protocols and standards will be used? I know there are quite a few competing standards being worked on in this space (example OIDC&#x27;s verifiable credentials), but I haven&#x27;t seen any mention on what (if any) the EU will standardize on?

The Trilogue happens today, and this is pretty much going under the radar in mainstream media, so it is very very likely Article 45 comes to be approved as soon as this afternoon :(

overall it&#x27;s a huge win. In Germany we effectively already have an eID system as an extension of your national ID and you could use it to for example trivially get covid relief funds as student or you can use it to age verify when buying say, booze on Amazon.<p>The status quo of typing your personal information into random websites only to find them on haveibeenwpnd a few months later rather than having a proper API between your identity and private services is just awful.

Mostly good article, but this made me laugh:<p><pre><code> &gt; In response to the revelations of government mass surveillance by Edward Snowden, the share of encrypted web traffic jumped from less than half to 95%. </code></pre> Seriously?<p>In last 10 years situation with government mass surveillance become much worse. Now majority of web runs on public cloud and &quot;encrypted&quot; by CloudFlare MiTM engine. These are literally centralised mass surveillance platforms.