@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity.
-
RE: https://mastodon.social/@fsfe/116131145887510612
@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity. That will be a game-changer. All major European OS producers are joining. We have a golden opportunity now to boot out Google.
@vollaficationist @volla Unified Attestation is the direct opposite of keeping Android open. It's an anti-competitive centralized system putting Volla and other companies selling devices working with them in control of which devices and operating systems people are allowed to use. It's the direct opposite of open. There's nothing neutral or fair about companies approving using their products while disallowing others. Unified Attestation needs to be stopped.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@vollaficationist @volla Unified Attestation is the direct opposite of keeping Android open. It's an anti-competitive centralized system putting Volla and other companies selling devices working with them in control of which devices and operating systems people are allowed to use. It's the direct opposite of open. There's nothing neutral or fair about companies approving using their products while disallowing others. Unified Attestation needs to be stopped.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!
-
@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!
@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.
-
@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.
@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.
-
@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.
@vollaficationist Volla and the other companies involved in Unified Attestation are anything but neutral. They're selling products and are in no position to fairly evaluate devices for security or to come up with those requirements. These companies should not be the ones choosing requirements and determining which devices and operating systems meet those requirements. Forming a cartel with other companies to lock out everyone else isn't legal. We won't be participating and it WILL be stopped.
-
@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.
@GrapheneOS @vollaficationist There's no reason to stop people from running Android on "non-certified" devices at all
-
@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.
@GrapheneOS If it's illegal in Canada, well, then I'm sorry to hear that. Volla is seeking constructive collaboration, and the entire design of the UA is set for open and transparent collaboration. You know, if we could sidestep Google, we would all gain: the companies involved, the citizens, organisations and companies, as well as security itself.
As for Canada law, would it be possible (legal) for you to get certificated by UA (without actively partaking in the consortium)?
-
@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.
@GrapheneOS @vollaficationist Ill unfollow grapheneOS, grew tired of this behaviour
-
@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.
@GrapheneOS This is currently being discussed. Nothing is written in stone. One way is to have an independent third-party highly renowned institution do test and certification. Please consider that UA is still very much "under construction." Please also note that we respect GOS' work, which is why we reached out to you half a year ago.
-
@GrapheneOS If it's illegal in Canada, well, then I'm sorry to hear that. Volla is seeking constructive collaboration, and the entire design of the UA is set for open and transparent collaboration. You know, if we could sidestep Google, we would all gain: the companies involved, the citizens, organisations and companies, as well as security itself.
As for Canada law, would it be possible (legal) for you to get certificated by UA (without actively partaking in the consortium)?
@vollaficationist Unified Attestation is illegal throughout Europe too. We'll be filing a lawsuit against each of the companies. It's an illegal anti-competitive cartel and none of these companies has any right to determine whether apps are compatible with GrapheneOS. That's fundamentally illegal and it needs to stop before going any further. Multiple companies which have engaged in years of underhanded attacks on the GrapheneOS project are not going to be in charge of whether apps can be used.
-
@GrapheneOS If it's illegal in Canada, well, then I'm sorry to hear that. Volla is seeking constructive collaboration, and the entire design of the UA is set for open and transparent collaboration. You know, if we could sidestep Google, we would all gain: the companies involved, the citizens, organisations and companies, as well as security itself.
As for Canada law, would it be possible (legal) for you to get certificated by UA (without actively partaking in the consortium)?
@vollaficationist @GrapheneOS An anti-competitive cartel violates the principle of fair competition not only in Canada but in most countries, including the EU.
Antitrust and Cartels
Antitrust and Cartels Overview
Competition Policy (competition-policy.ec.europa.eu)
Unified Attestation is an initiative with Murena, Iodé, and Volla, three untrustworthy for-profit companies that want to copy Google’s Play Integrity API, which is already abusive and illegal, to manipulate the market and impose their misleading standards.
There is nothing neutral about it, and the fact that it’s “open-source” doesn’t change a thing.
-
@vollaficationist Unified Attestation is illegal throughout Europe too. We'll be filing a lawsuit against each of the companies. It's an illegal anti-competitive cartel and none of these companies has any right to determine whether apps are compatible with GrapheneOS. That's fundamentally illegal and it needs to stop before going any further. Multiple companies which have engaged in years of underhanded attacks on the GrapheneOS project are not going to be in charge of whether apps can be used.
@vollaficationist Murena and iodé are have spent years attacking the GrapheneOS project. They've relentlessly mislead people about what it provides to promote their products. They've misled people about what their own products with atrocious security provide. We began debunking their claims so they began making personal attacks on our team including spreading vile harassment content. We'll never give these companies veto power over app compatibility on GrapheneOS and we won't work with them.
-
RE: https://mastodon.social/@fsfe/116131145887510612
@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity. That will be a game-changer. All major European OS producers are joining. We have a golden opportunity now to boot out Google.
@vollaficationist @volla curious what the advantage of this is over android's native hardware attestation api /gen
-
@GrapheneOS This is currently being discussed. Nothing is written in stone. One way is to have an independent third-party highly renowned institution do test and certification. Please consider that UA is still very much "under construction." Please also note that we respect GOS' work, which is why we reached out to you half a year ago.
@vollaficationist GrapheneOS won't participate in any system which requires us to delay our releases while waiting for certification. That's inherently anti-security and is completely unacceptable. We also won't give any companies or organizations veto power over app compatibility on GrapheneOS. It's a horrible idea and we're not going to let it happen. We won't participate and we'll file a lawsuit over the fact GrapheneOS is being banned by companies selling products threatened by GrapheneOS.
-
@vollaficationist GrapheneOS won't participate in any system which requires us to delay our releases while waiting for certification. That's inherently anti-security and is completely unacceptable. We also won't give any companies or organizations veto power over app compatibility on GrapheneOS. It's a horrible idea and we're not going to let it happen. We won't participate and we'll file a lawsuit over the fact GrapheneOS is being banned by companies selling products threatened by GrapheneOS.
@vollaficationist The EU has been passing laws working towards banning end-to-end encryption and secure devices. It's completely unacceptable to have an EU-based system controlling which hardware and software is allowed to be used. GrapheneOS is not going to participate in bringing about our own downfall through helping to build or legitimize a system which could be used by EU governments to ban GrapheneOS. Play Integrity API should be banned rather than giving it legitimacy making another one.
-
@vollaficationist The EU has been passing laws working towards banning end-to-end encryption and secure devices. It's completely unacceptable to have an EU-based system controlling which hardware and software is allowed to be used. GrapheneOS is not going to participate in bringing about our own downfall through helping to build or legitimize a system which could be used by EU governments to ban GrapheneOS. Play Integrity API should be banned rather than giving it legitimacy making another one.
@vollaficationist Android hardware attestation can already be used to permit arbitrary roots of trust and arbitrary operating systems. There's no need for a centralized system based in Europe built on top of it.
It would be better if root-based attestation didn't exist because it's fundamentally insecure for anything serious and primarily useful for anti-competitive and authoritarian purposes. Pinning-based attestation is what's useful for protecting users rather than controlling people.
-
@vollaficationist @volla curious what the advantage of this is over android's native hardware attestation api /gen
@RadioAddition You can contact the project. Whatever already existed clearly did not work.
-
@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!
@vollaficationist @GrapheneOS as the brand that focuses the most towards user privacy and security, it makes sense for GrapheneOS to not support something like this which is basically Google but European with its own user surveillance stuff (even if they say, they don't we will just have to trust them blindly like we do with Apple products and consistently there have been proofs that /e/ does communicate with Google and OpenAI servers for stuff that Graphene and Calyx could already without connecting to them, so it's false marketing in a way).
While I do think having an alternative to Play Integrity API is good and it's better than nothing but hardware attestation is the best way to do it. And Volla & Murena doing something that gives them total control instead of pushing something focused towards privacy like hardware attestation shows that there have some ulterior motives. And with EU also pushing for surveillance like Chat Control and backdoors, I'm not sure this is a good idea.
-
@vollaficationist Android hardware attestation can already be used to permit arbitrary roots of trust and arbitrary operating systems. There's no need for a centralized system based in Europe built on top of it.
It would be better if root-based attestation didn't exist because it's fundamentally insecure for anything serious and primarily useful for anti-competitive and authoritarian purposes. Pinning-based attestation is what's useful for protecting users rather than controlling people.
@vollaficationist We've been actively fighting against the Play Integrity API for years and now. Unified Attestation is another anti-competitive system very similar to it. We're absolutely going to fight against it as much as we have been against the Play Integrity API. Android hardware attestation is an issue itself due to being primarily designed around root-based attestation. We convinced them to add proper pinning-based verification support to make it a real security feature for our usage.
-
@vollaficationist GrapheneOS won't participate in any system which requires us to delay our releases while waiting for certification. That's inherently anti-security and is completely unacceptable. We also won't give any companies or organizations veto power over app compatibility on GrapheneOS. It's a horrible idea and we're not going to let it happen. We won't participate and we'll file a lawsuit over the fact GrapheneOS is being banned by companies selling products threatened by GrapheneOS.
@GrapheneOS Will you really? And you didn't Google? Now I'm actually really getting worried about the status of GOS. Well, I wish you the best.
