| ▲ | notpushkin 8 hours ago | |||||||
Just a quick question, and sorry if it might have been answered already... why preventing duplication is so important? I know it’s in the spec probably [1], but I can’t figure out the reason. And a suggestion: add external HSM support at least? (e.g. things like NitroKey/YubiKey) [1]: https://eudi.dev/latest/architecture-and-reference-framework... I suppose? | ||||||||
| ▲ | pwlb 8 hours ago | parent | next [-] | |||||||
Preventing credential duplication is a requirement to achieve high level of assurance. One of its purpose is to limit the potential damage that can be done by attacks. If credentials are bound to hardware-bound keys, attackers will always need access to this key store to make any miss-use. If you don't prevent duplication, attackers may extract credentials and miss-use them at a 1000 places simultaneously. | ||||||||
| ||||||||
| ▲ | notpushkin 8 hours ago | parent | prev [-] | |||||||
I’ve just had another, completely stupid but not implausible, idea: > a local internal WSCD, which is a component within the User device, such as a SIM, e-SIM, or embedded Secure Element, So you could issue SIM-cards / eSIM profiles that only do signatures and nothing else. The app then connects to such eSIM (and you keep your main SIM/eSIM in another slot). The less stupid variant is, of course, to get mobile operators to issue SIM cards with e-sign capabilities. Estonia has that, for example: https://www.id.ee/en/mobile-id/ | ||||||||
| ||||||||