Well, this would directly contravene other directives of the EU, wouldn’t it? On the one hand forcing app store neutrality and on the other making them a requirement? Not that that would stop a working group from ignoring another group, regulation or the like.
Looking at the reference framework, it’s nothing new ( often poorly formulated). The certificate mechanisms (which are becoming legion) are standard and have nothing to do with google or apple but require the application provider to be certified in a way that should prevent fraud… if the certification authority isn’t run like a discount shoe store. The latter is not so certain, these days. Trust anchors spread about:
Wallet Providers,
PID Providers,
QEAA Providers,
PuB-EAA Providers,
Access Certificate Authorities for
Relying Parties,
PID Providers,
QEAA Providers,
PuB-EAA Providers.
gives me a warm fuzzy feeling about the exploits coming in the future. With a bit of luck, this whole thing will just fail to get traction.
The only real ‘trust anchor’ in the whole tottering enterprise, the oddly named PuB-EAA ( Public Body Authentic Source Electronic Attestation of Attributes (PuB-EAA) Providers, ie. Governements) will surely being paying out the nose to the other parties involved.
Having read most of this mess now, it can attest (I swear!) that it is not nearly finished and the parts that are finished are certainly not usable to actually create code.