Hacker News

Imagine someone "enthusiastically digitized" (as much as possible) in a foreign country alone and then they lose their iPhone Plane tickets, all hotel reservations, they don't remember any phone numbers. They use ApplePay and other mobile payments. Cards may be in the same wallet case.

Without a trusted device or Recovery Key, Apple may impose a security delay (24 hours to several days) before allowing a password reset. Getting new SIM and re-authenticating our life will be pain.

> the "money you have" is just an int32

If only it was a uint32

More like a float with a precision of 18.

Most of us who work in payment systems care a lot about precision and reliability.

> that the "money you have" is just an int32

well, luckily, that's not how money is stored, but instead, they're transaction based. Aka, that number you have is a calculated value, not a stored, arbitrary value.

Except...perhaps the central bank's, where they could really just generate that money as an arbitrary value to lend out to other banks.

footnote: of course, your account balance is cached, so that it is not recalculated over and over again...

Witnessing this or Texas floods, politicians in my country dare to say that `We don't need cash'

"just an int32"

I remember hearing that Zimbabwe, during its period of hyperinflation, had problems because the databases for the banking system couldn't handle a time with $100 trillion banknotes, and ATMs didn't work because of overflow errors.

If only they had used int128. :)

Now go read about fractional reserve banking

Not an int32, but a BigDecimal.

Is it in anyway worse when the money you had was some strips of paper, or metal coins, or goats, or salt?

All of those have some very annoying fail scenarios too.

Given reliability and security of payment systems - simple credit card (chip/nfc) should be enough for identity. You could pull off entire election using payment terminals.

Italian living in Sweden, Malmö, and lived in the UK in the past.

I don't get the obsession you Brits have against IDs, in Europe you are pretty much the only ones. But a lot of what you say resonates with my observations:

- single point of failure: absolutely, but so is the "sign in with Google" or equivalent. It's just too convenient. I'd rather have a public service do it than a private company that can cut you out at any time without any explanation.

- Nanny State: 100% also in Sweden, actually worse here. But historically they have been pretty good at protecting freedoms, so far. The UK (or Italy) may be less nanny, but have got some very illiberal things going on these days (left or right government doesn't really matter, it seems).

- Happiest people on earth: I really doubt the surveys measure happiness. They tend to measure trust in institutions, which is very high in Scandinavia.

- It's an incredibly authoritarian society although no Dane would ever say that: exactly the same in Sweden! They would NEVER admit any failure in their society, no matter the hard evidence in front of their eyes. I guess that it's the other side of the same trust of the previous point.

- Drink more øl and get off the internet and go for a walk in a forest: At least you've got øl, in Sweden alcohol is taboo. Forests are nice, but become boring quite quickly :)

I would recommend getting the hardware dongle. I don't have the app, never did, and I've had none of the issues others have been complaining. The dongle is, generally, a much better experience from what I can tell, except if you need to do any authorizations on the go.

Your other complaints: 100% agree, the whole thing is a privacy nightmare.

I wouldn't count on a post mortem of any value. They still refuse to explain how the system has been abused in the past. Regardless of how hard I try, I fail to understand how it has been abused after QR codes was added to ensure presence at the device you're trying to authenticate at. The system feels secure, but has been abused a number of times and we're almost never told how.

> but it's a privacy nightmare.

I've gone the other way from Denmark to UK. And I've often had to mail copies of my passport or other identity documents via email. And my bank requires me to regular scan my face to check that it aligns with the picture in my passport.

Also British, living across the bridge in Malmö, Sweden.

I really like the centralised system, it makes navigating society surprisingly easy when compared to say, Germany or the UK.

The difference is that I sort of trust the Swedish government, they've never really done anything to breach that trust - up to and including their handling of COVID (while controversial, they took the stance of individual liberty and a "collective responsibility" over mandatory top-down systems).

The UK in contrast has a much more heavy handed relationship with the population, up to and including incarcerating people for saying the phrase "we love bacon" at a construction site or typing the letter "n" on social media. It's a different context entirely.

Also, BankID, the central system is a definite weakness, but you can have a card/pin device that still works, and it does work on grapheneOS, though it will complain a bit if you don't have google services installed... which I find hilariously awful...

I have experienced the same privacy culture shock in Denmark. Generally, I think the people’s trust in their government is the greatest social asset of the danish society, as well as their biggest blind spot.

> in quite some ways it's an incredibly authoritarian society although no Dane would ever say that

Did they collectively close their eyes while Denmark was the latest, at EU presidency, in charge of pushing chat control?

All of this is true.

Having lived in Germany it's quite different, but I'd argue the centralized handling of the CPR is actually quite convenient and doesn't meaningfully impact privacy. In Germany every authority has its own ID for you anyway (my password manager has a category "Government Primary Keys" for this), however that means that you have to provide all your information from scratch to every authority. This would theoretically lead to more privacy if we lived in 1926, but now computers are ubiquitous and a rogue government (like Germany is close to electing) can just correlate these keys together. Relational databases have existed for decades and JOINS are cheap. Thanks to surveillance capitalism by now we have very sophisticated ways to deanonymize people, the government can just hire someone to do it.

So the privacy in Germany is most often inconvenience for the citizen paired with hardly any privacy gain from a potentially hostile government. At this point I think the better solution is to avoid electing hostile governments. To Denmarks credit, they're currently doing that better than many other European countries.

WeChat effectively is all of this but does work on rooted phones. There are far too many brands and variations of phones all over China running various forks of Android for them to keep track of.

>MitID doesn't work on rooted android phones, or those running a custom rom.

I find these arguments quite strange. A big part of MitID and similar services is to protect you against fraud. The most vulnerable in society (e.g. old people) aren't running these kinds of devices, and I'd rather we optimize for the general population and the people most at risk, rather than people running some weird setup that is almost identical to setups a scammer would run.

What privacy aspects are you lacking here? For all the services that MitID connects you to, there are government required responsibilities for these companies to track all of this information anyways and be able to provide it to the government if needed. That goes for banking, public services, telecom, etc. And this is in no way unique to Denmark, it's how most countries operate. Denmark has just acknowledged this and decided to make it easier.

Did you expect your UK bank to not be required to know who you are and be able to track and keep records of literally all financial interactions you have with them and their services? I'm a bit confused on what society you are comparing against.

Interesting. Swedish BankID, that I'd guess serves the same purpose, works just fine on GrapheneOS, as well as nation wide payment system Swish.

The Netherlands had a similar system with BSN and DigiD.

I personally prefer it, and I wish the country I live in right now had a better centralized system to deal with the government. It massively reduces bureaucracy and the need for me to produce all sorts of extremely privacy-invasive documents (such as bank statements, utility bills, scans of my driver license and passport) when dealing with the government. Sometimes I even need to mail those things, like, with an envelope.

The government can and will collect all data it needs about you at any given time, no matter if there's a centralized ID or not. It just spares everyone time and effort by removing friction.

Also, I have a very hard time to take seriously someone that unironically says the words "nanny state". It says a lot about your stance on the role of governments and society in general. What it says, to me, is very unflattering.

> I see a few people here complaining about the idea of a central digital identity service.

Digital identity service is fine for gov services. It’s not OK as a hard requirement for anything else such as banking.

Digital ID in my country is down for about 7 days and counting. iOS app no longer opens after the recent update. I cannot pay tax without digital id app working but i can do banking and everything else.

The linked page has 3 down updates, then says it's back up again after the 3rd one. So presumably resolved.

Italy's digital ID (SPID) works by having multiple trusted providers that can attest your identity. You can sign up with multiple of them, and if one is not available you could use another one. Not perfect (it's still centralized in the hand of 10-20 providers) but better than nothing. Unfortunately most people only ever signed up with one provider, and the government is now pushing for a more centralized digital ID istead (CieID).

Agreed, there should not be a tight (temporal) couple.

But it's a trade off. Long-lived TLS certificates have always had the cert revocation problem. OCSP stapling never took off, so in the end the consensus seems to have been to decrease expiry date. (Mostly fueled by Let's Encrypt / ACME).

Relying on expiration rather than explicit revocation of course also assumes (somewhat) accurately synchronized clocks which is never trivial in distributed systems. In practice it put's pressure on NTP, which itself is susceptible to all kinds of hairy security issue.

I like to think of the temporal aspect as a fail-open / fail-close balance. These centralized solutions favour the former, and that's why we see this resulting outage.

For anything as high stakes as eID you need real-time revocation checks, which brings you back to at least some level of centralization.

BankID is not government backed, and most governmental agencies have alternatives to BankID as well.

PKI works offline until you realize you need to handle revocations.

For this and related reasons, such as enforcing protocol upgrades, most smartcard systems end up permanently online.

Revocation.

Finland did that + lot more. Tax system from Gentax, EHR from Epic and social benefits from Salesforce.

> …today it came out that we are also are going to outsource of of our key tax systems to an American company.

That’s a remarkable failure to read the room, given the digital sovereignty initiatives across Europe.

Isn't it the hosting provide and not digid itself?

As I understand it, BankID in Sweden is still run by one organisation co-owned by the big banks, and banks handle verification for issuance. There is still a single point of failure for the operation of the system.

No. As I understand it the previous system, NemID was actually (co?)designed by the banks so this is what they all use. Likewise MitID is another unholy alliance of Nets (a Danish payment provider) and Danish banks.

Given the Swedish version of it is called BankID I assume the situation is nearly the same in Sweden.

No. Many/most of them support login through hardware ID on your smartphone (i.e fingerprint/TPM-style pin), but the actual authorization of transfers or any privileged access is entirely MitID

This is a tech site, not a news site. Threads posted here are rarely if ever "big news" nor is that the point.

The topic is an opener to discuss MitID, electronic ID's in general, the protocols behind them, what happens when they fail, privacy, societies reliance on them or something similar.

>this is not big news in dk

Yep let's not learn from that incident and wait until is offline for like 2 weeks, and be assured that will happen.

The french company IN Groupe.

One of the flaws of that system was exactly that you didn't know which domains where allowed to issue the requests for a one-time key.

Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.

How would you use a paper ID online? (Securely, i.e. not the insane thing of taking a selfie holding it or something similarly bizarre in an age of powerful GenAI.)

given the very sparse info on the actual problem i find it suspicious as well.

Tin foil is aisle ten friend.