Hacker News: pwlb

New comment by pwlb in "German implementation of eIDAS will require an Apple/Google account to function"

pwlb — Sun, 05 Apr 2026 18:53:19 +0000

The documentation actually reveals why this will most likely not work, given you are on expert on mobile security

New comment by pwlb in "German implementation of eIDAS will require an Apple/Google account to function"

pwlb — Sun, 05 Apr 2026 18:48:15 +0000

The documentation clearly outlines that there are multiple signals being analysed. Relying on play integrity alone is definitely not sufficient as you state.

New comment by pwlb in "German implementation of eIDAS will require an Apple/Google account to function"

pwlb — Sun, 05 Apr 2026 18:42:25 +0000

EIDAS 2 motivation is implicitly that eID failed in eIDAS 1. It simply either didn't take off or didn't work at all

New comment by pwlb in "German implementation of eIDAS will require an Apple/Google account to function"

pwlb — Sun, 05 Apr 2026 10:38:31 +0000

This is necessary because the wallets contain an identity proofing functionality called PID(Person Identification Data). Showing these credentials basically approves you are you. There are high requirements for identity proofing that even pre-date wallets and that makes sense, because the potentially blast radius of identity theft is huge. Historically, these have been secured in smartcards, like eID cards or passports and are not shifting to the smartphone. Verifying the security posture of your device and app is therefore crucial.

New comment by pwlb in "German implementation of eIDAS will require an Apple/Google account to function"

pwlb — Sun, 05 Apr 2026 10:20:34 +0000

Banks actually have high fraud rates today because of weak security mechanisms. If attackers steal your money, the bank will reimburse you. If attackers steal your identity, you are really screwed. Security requirements for banking and identity are simply different.

New comment by pwlb in "German implementation of eIDAS will require an Apple/Google account to function"

pwlb — Sun, 05 Apr 2026 10:17:46 +0000

Preventing credential duplication is a requirement to achieve high level of assurance. One of its purpose is to limit the potential damage that can be done by attacks. If credentials are bound to hardware-bound keys, attackers will always need access to this key store to make any miss-use. If you don't prevent duplication, attackers may extract credentials and miss-use them at a 1000 places simultaneously.

New comment by pwlb in "An illustrated guide to OAuth"

pwlb — Mon, 25 Aug 2025 16:35:17 +0000

This is due to many parts of the system being spread across multiple IETF RFCs, which happens as OAuth was improved and made more secure over time. Efforts are underway by combining all important parts into OAuth 2.1, otherwise have a look at FAPI 2.0 security profile for high assuance use cases.

New comment by pwlb in "Ten years of JSON Web Token and preparing for the future"

pwlb — Mon, 26 May 2025 07:35:55 +0000

You may have a look at this (still a Draft): https://datatracker.ietf.org/doc/draft-ietf-oauth-status-lis...

New comment by pwlb in "A planned EU regulation about website certificates is causing concern"

pwlb — Mon, 28 Feb 2022 16:26:07 +0000

Where exactly do people move if they only chose between Firefox and Chrome, there is not enough competition in the browser market

New comment by pwlb in "Response to 'Call for Review: Decentralized Identifiers (DIDs) v1.0'"

pwlb — Thu, 30 Sep 2021 12:36:21 +0000

First,which DID methods will be successful is a question of time, additional your wallet app could support multiple of these DID methods. Second, DID and the corresponding keys are supposed to be owned by the user or managed by a platform, any indivdual can make the choice whteher he wants convience of managed keys or full privacy under his own control Third, you can have a seperate DID for every service and they issue you an login credential for that particular service.

New comment by pwlb in "Response to 'Call for Review: Decentralized Identifiers (DIDs) v1.0'"

pwlb — Wed, 29 Sep 2021 12:52:55 +0000

Not necessarily is DID connected to publishing something on a blockchain. First: DID does not make any statements to the underlying infrastructure, this can be a completely decentralized public, permissionless blockchain but also public, permissoned ledger(also decentral but a little less) or the did Methods using a central server as referenced in the w3c mozilla response. DID for example solves/enables some aspects of the 10 principles of SSI, e.g. portability

New comment by pwlb in "Response to 'Call for Review: Decentralized Identifiers (DIDs) v1.0'"

pwlb — Wed, 29 Sep 2021 12:37:28 +0000

not yet, but identity giants like okta and ping are already looking at SSI very carefully. digital identity will be key in the next years

New comment by pwlb in "Response to 'Call for Review: Decentralized Identifiers (DIDs) v1.0'"

pwlb — Wed, 29 Sep 2021 09:28:31 +0000

Self-Sovereign Identity and DIDs are a very fast moving train. People argue that in the early internet days there was a similar competition between new protocols(compare with DID methods) before we arrive in our todays HTTP(S)-only world. Similarly DID methods will probably consolidate to a handful within few years and DID Core is only a first step to get a minimal common denominator. Also its questionable if Microsoft&Google and the others are fearing a rapidly evolving ecosystem that they can not jump on as fast and therefore remain sceptic in any case

New comment by pwlb in "Only 6 of the 50 largest companies are in Europe. LVMH is highest at #18"

pwlb — Mon, 14 Jun 2021 22:43:39 +0000

That sounds like a view from last century. FAANG multinational, sovereign companys and they are interested in money and are not interested in losing their userbase. moreover a lot of these companys have offices in europe as well, so part of these solutions are developed in europe as well. having the HQ in one country is only one aspect of a company

New comment by pwlb in "Cryptography and how to deal with man-in-the-middle attacks in JavaScript"

pwlb — Thu, 29 Apr 2021 13:04:56 +0000

Core mechanisms to prevent Man-in-the-Middle are missing in the article: PublicKey/certificate-Pinning or PKIs. Cryptography is best left to the experts, most of todays javascript developers are probably missing the knowledge to implement or use it in a correct way

New comment by pwlb in "The reason Okta spent $6.5B on Auth0"

pwlb — Fri, 05 Mar 2021 21:21:13 +0000

Self-Sovereign Identity might replace major parts of the federated identity market within 5 years i expect. even Okta CEO admitted that self-sovereign identity will be the future. the major problem is that the decentralized nature of SSI, will remove the most part and profit of 3rd party tools, as it is easier and cheaper to have direct relations between services and users

New comment by pwlb in "Czech gunmaker CZG buys Colt in cash and stock deal"

pwlb — Fri, 12 Feb 2021 17:13:49 +0000

Is there any country in history that prevented its downfall because its civilians are armed to the teeth?

New comment by pwlb in "I made Deskreen, open source app to make any device a second screen for computer"

pwlb — Mon, 18 Jan 2021 22:30:23 +0000

Anybody who wants to this with Linux: scrcpy uses adb(turn on usb debug) und works like a charm

New comment by pwlb in "Show HN: See the Price of Stocks in BTC"

pwlb — Tue, 12 Jan 2021 11:09:50 +0000

comparing all the stocks, seeing that only tesla is in a stable curve near the end, leads me to the following conclusion: Both Tesla and Bitcoin are heavily overpriced!

New comment by pwlb in "Poll: Switching from WhatsApp"

pwlb — Thu, 07 Jan 2021 17:17:38 +0000

encryption is only and-to-end, and searching on your device is easily doable