If you receive a forged crl, in the worst case it will revoke certificates that you can't trust anyway. Even if it says "certificate X is still good", that's equivalent to receiving no crl.
Do you imply that google can prove such a thing or it's just a security theater for (((compliance)))? AFAIK attestation attests hardware, not software, but hardware attestation is self contained and doesn't require any remote cartel permission, cf yubikey attestation.
The EU is trying to make a standard that courts will enforce because EU politicians (the commission, not parliament) really want that. But all EU countries are trying to save cash without touching what's causing the money problem (that would be pensions, there is no way in hell EU governments can spend what's required to keep pensions going as is even in 2026. In the past they spent all the pension money instead of investing and now they have to start paying it back, except they can't. And if they touch pensions ... well there's a French joke. It goes something like this "One of the greatest accomplishments of the 20th century is that you can see Paris from space. Look there it is, that flame right there ...")
So they're just going to use the Apple/Google standards and declare the job done. So it's theater from all sides. Politicians will pretend this is a good solution because they don't want to spend real money, and they really want to tempt EU kids to get loans on their smartphones because, you know, in the EU you're protected from companies exploiting you. Of course, that just means governments will have to do it instead.
Imagine cheering for the company that will block the criminal prosecutors investigating war crimes and genocide from having the ID at all(1) once the supporter of the investigated sanctions the law-abiding persons: https://www.whitehouse.gov/presidential-actions/2025/02/impo...
But anyway - why the requirement in the first place?
(1) because sanctioned person must not be allowed to create another account.
It's puzzling how such sanctions are enforceable in the first place. If the person published their phone number then maybe, but if not then little can be done to identify them.
On one our linux machine filesystem became strange, probably because somebody mistyped `ls /bin` as `ln /bin`. I think docs say hardlinking folders is impossible or maybe /bin was a symlink.
reply