It's the organization you use if you're sick, lost your job, where you get your social security etc. Basically a huge behemoth of all kinds of social or labor services.
While most of the code probably has little value for others (2000 different repos), I think it's quite noble that it's public, given it's made with tax payer money and serves our people. And when working there I found it quite cool to work in the open, a sense of pride in publishing everything we were doing. Also a bit funny, just checked the project I started 5 years ago: "last updated 42 minutes ago".
I think all countries should use their own instances of gitlab or others. It feels wrong that they all depend on GitHub to publish such important information.
Just curious, since it's been a dream of mine to have public services powered by open software: How often do bugs in the services get reported either, with direct references to the underlying software (function names, line numbers, etc.), or as changesets/PRs with proposal fixes?
Especially for simpler things like style/accessibility issues, I could see this being somewhat common honestly.
This is the baffling side of the EU to all outsiders/newcomers. When I first moved here, that was my first thought as well. There is just so much in common, why repeat everything everywhere instead of single effort with branches everywhere?! (police force, consular services, Identity services, and pretty much any Government paperwork one can think of, transportation services etc). However, the population is very localised and divided. The French do it their way, Italians another way, the Germans on their own way etc. It is hard to find gain common ground beyond what EU already represents(which is very good IMO). I do wish doing things at EU level becomes the norm, and individualities slowly disappear.
Imagine a single European rail service (not Euro rail where you can buy a single ticket that will make you take Dutch train, and then connect on a German train, and then on an Austrian train, and if you miss a connection, good luck figuring out your replacement..)
My partner and I just moved to the Netherlands and I mildly disagree. For one, we really like the diversity and appreciate the different cultures and histories. But I also think there's something to different member states getting to experiment on their own. Like, the Finns are onto something with their school system for sure, but the Dutch have a lot of Montessori schools--what are the pros and cons of each approach?
But, yeah not that we're wild about international train travel--that's a sore spot for sure. But generally we view the differences as a kind of richness and less of an inconvenience.
> I do wish doing things at EU level becomes the norm, and individualities slowly disappear.
Unless you reach an economic moment where you can pay the same to a policeman in Sweden and a policeman in Greece there is never going to be a socioeconomic identity that would allow you to aggregate all these people in some sort of federation police force. Same for rail, same for most anything where there is a cost or expense or transaction.
The diversity of systems reflects a diversity of arbitrage. Brute forcing that into a single entity or federal body is ivory tower thinking.
Unless you reach an economic moment where you can pay the same to a policeman in Sweden and a policeman in Greece there is never going to be a socioeconomic identity that would allow you to aggregate all these people in some sort of federation police force.
Why?
Localized pay has been a thing for literally centuries, across a wide swath of fields.
This is not about standardized pay, but about resource sharing.
Imagine a study about an uptick in a certain type of crime. Easier on one big force, than 20 little ones.
> There is just so much in common, why repeat everything everywhere instead of single effort with branches everywhere?!
I think you misunderstand the history of the EU project: its goal is what you describe, but it must be balanced with respecting the autonomy of each individual nation inside the union. It can only work if all involved governments agree to do it. Which is an incredibly difficult thing to achieve.
What we have now is the progress we have managed to make so far. If it does not appear like much, well, you should have seen what things were like before the EU, especially regarding red tape.
Such a collaboration has the potential to save time, money, effort, and increase quality. But in reality it either ends up being "design by committee", or a few of the countries are the drivers and the rest are the followers who try all kinds of maneuvers to retain some control.
Even if this is done under the umbrella of an EU institution, the politics work the same way except now every other country is trying all kinds of maneuvers in an attempts to retain as much of the control as possible.
You're saying how things should be. I told you how they are, from experience with both worlds. I have the impression you are vastly underestimating the "power games" happening at country/union level compared to the ones in a company.
In the usual company there is a reasonably clear hierarchy, if someone doesn't fall in line some superior dons the big boots and drop kicks them all the way past the company parking lot without some democratic process behind it. Each level is accountable to the higher one.
At country level there's no such thing. It more like a lot of different companies sometimes reluctantly agreeing to work together, while not owing each other anything, and being subjected to the whims of the people back home (managers and citizens). There is no true hierarchy, no supreme authority, the accountability isn't towards the committee but towards superiors "back home" to get specific interests pushed. And if they don't make the cut you can always pack up your toys and go, maybe even turn it into a win back home ("we retain full control"). You want to look good for the managers and the citizens at home, not the ones in the committee. National pride, ego, politics on the world stage are very strong factors at play. If there is some obligation to contribute it also had to come democratically in a process to which your country participated.
These aren't power plays inside a company, they are the power plays between big companies. Except with a lot of nationalistic aspects and actual politics sprinkled in. And you can't even buy cooperation like in a commercial case.
So calling them "power games" is correct in principle but not at all useful to gauge the difference in scale in the 2 cases.
EU is a collaboration between countries where anyone can veto anything, yet they still manage to pass laws. Open source is much easier in comparison: no need for full consensus and no way to retract code that has already been published.
This is not for co-develop. This is mainly report, of what government done. For some extent it could be used to check safety of software/infrastructure.
For example, in Ukraine used closed source software, and only war (because censorship), slightly slowed stream of scandal publications about bugs and vulnerabilities.
The tax systems are national responsibility, and building a bespoke app for a given tax system is cheaper than supporting 27 widely different tax systems in a single app.
Wow, looks pretty nice from the screenshots. Do you have experience using it? Does it work well/do what it claims? I recently moved to Spain, who has a digital identity system, but is a pretty disjointed attempt.
Yes, the project started in February 2017, so it's been a while and the app is very mature and frequently used by many citizens (full disclaimer, I was leading the development of the app and the backend from the beginning until almost two years ago).
Do you know why no other, more open, two factors are being introduced in DigiD auth? I'd rather use my U2F fobs, like I can almost everywhere else. Some people like TOTP.
It's a great app, doesn't do "much" except sending some government news from time to time. It was used a lot during Covid because it showed your negative QR code.
Well, apart from sending highly targeted updates to citizens, it is also used for:
1. receiving payment request for car tickets that you can pay right away with the credit card you saved in the app
2. receiving pending tax payments for local and national taxes that, again you can pay right away in the app
3. it was used for the national cashback program as a mean to enroll citizens, register the payment cards that could be used to accumulate points, setup banking details to get the prizes, etc...
4. distribute several government incentives (e.g. holiday bonus, bonus for young citizens, etc...)
After I left the project, the team was working on implementing a full digital signature solution that could be used to sign official requests to the public administration and they were also working on supporting legally valid communications from the government (vs just informational).
Yeah it works pretty well. Italy also has a digital identity system called SPID which can be used to log in for all governmental services which also works pretty well.
Speaking as an immigrant from America, I really like DigiD! I wish the US had something even remotely similar. The fact that we do not have a standardized national ID easily available to everyone is embarrassing.
DigiD has some minor annoyances, but it's a helluva lot better than some alternatives I could think of.
> The fact that we do not have a standardized national ID easily available to everyone is embarrassing.
Why? I’ve lived in a European country with common national IDs, in the US, and in a European country without national IDs, and I’m not sure that the absence of it is “embarrassing.” Note that in most European countries it’s an identifier of citizenship, not residence, with other ID cards such as residence permits, drivers licenses, or municipal registrations indicating residence. Therefore, it’s far from sufficient for many common use cases that depend on residence, and the countries that don’t have one such as the US or the UK typically use passports (or ad-hoc solutions such as US/Canada enhanced drivers licenses) for travel.
> The fact that we do not have a standardized national ID easily available to everyone is embarrassing.
Surely that's hyperbole. State IDs are pretty standardized, and even more so with the REAL ID system (if the mandates for it ever go into effect). When have you ever had a problem using one state's ID in another state?
It makes coordinating your information across many different service providers much more efficient. Here in the Netherlands for example, I can use DigiD to login and pay my taxes, pay for health insurance with a private company, authenticate to my pension plan and a ton of other things.
I cant vote with my Texas ID in Wyoming. A passport might be sufficient to vote in a different state for a national election but I’m admit that I’m not 100% sure on that.
Every government agency in the US doesn’t know who I am without me telling them. And even then if they fat finger the number I could be in for a world of hurt until someone realizes.
I can vote with an out-of-state driver's license in Pennsylvania, it just means that I have to provide a signature to them instead of it getting auto-populated from my driver's license. I'm pretty sure this should be the case in any state.
It's was on purpose. Americans traditionally don't like the idea of a standard, mandatory national ID. But SSNs have basically been re-appropriated to serve that purpose, to get around that, despite them being explicitly listed as "not intended as a means of general identification."
I find the DigiD app to be one of the most annoying implementations of 2FA out there. You have to unlock the app with a pin code, then enter an app-generated code on the site, then scan a QR with the app, and then grant permission to login to that site.
If you compare that to 2FA for Office 365 for example, where you just have a push notification where you press a button to allow, then you can't help but think that some attention to UX would be helpful.
As it is, I usually pick SMS verification instead of using the app. Yes, less secure, but so much easier.
For an app that cost in the tens of millions to produce[1], and for which the company (gov-owned and operated) behind it charges implementors/users (not end-users ofc)[2] for each and every single successful DigID authentication event €0.13, DigID authorization event €0.88, and even for every digital message delivered into your "berichtenbox" €0.32, it could.. no rather it should indeed provide a much better experience than what we have now.
If the money is going back into the public coffers supplanting other tax revenue, a fee for delivery must help prevent spam? I don't know enough about the topic but at first glance it seems there could be worse things.
I suppose it would hinge on your view of regressive use fees as well.
“ This code has been disclosed in response to a request under the Dutch Open Government Act ("Wet open Overheid"). This implies that publication is primarily driven by the need for transparence, not re-use. Re-use is permitted under the EUPL-license, with the exception of source files that contain a different license.”
It sounds like they might not been very keen to maintain the app.
Can there be alternative better implementations or DigID “hardcoded” to one provider?
I think that just means "this won't be very helpful in standing up your own DigID". It also says they're looking at providing more ongoing transparency.
On the other side of this, push-phishing through MFA fatigue has become extremely frequently used to hack into enterprise O365 instances (as well as Google Cloud accounts and the like).
People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.
The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.
This is real and a serious threat. Both the company I work in and I (personal account) have been targeted with this specific method. I got tens of random notification pop-ups on my phone in different days and I almost approved it once. It didn’t stop until I disabled login using that specific email address altogether.
Edit: I received the notifications for Microsoft Authenticator app
YYMV: I'm on an OnePlus 8 using the Microsoft Authenticator App. OS update changed the PIN pad, which in turn soft-broke the M$ authenticator app's PIN lock security, rather than presenting a PIN pad to enter my PIN code, it now presents a full QWERTY keyboard... making it excedingly annoying to enter my PIN - to the point where I simply disabled the PIN lock on the app (not on my phone, obviously).
So yeah, MFA fatigue is a thing and a PIN lock on the notification is not going to survive for very long given these OEM shenanigans...
Edit: Also M$ Auth app offers no proper export of my MFA keys, so I am stuck in this walled garden :')
That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.
> That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I hadn't even noticed that app login doesn't require username and password. With a password manager that doesn't add a lot of friction. Even when accounting for that extra step, I still find Office 365 and SMS verification much easier.
What's the purpose of the code you're entering from the app? Isn't that a bit superfluous/couldn't the app open a communications channel with the server via the QR code you scan and provide that itself?
Then the app relies purely on the ssl cert of the server, for mitm mitigation. This way, the qr can contain a signed reply to the code, which adds a layer.
Wait, I don't get it. I understand that the server is signing a challenge with a key presumably known to the client. But why can't the app submit the challenge programmatically upon scanning a QR code? It would still verify the signature!
If you leave the country without setting up SMS you can’t ever use 2FA. They claim to support adding foreign numbers, support people being abroad, support adding new DigiD accounts from abroad, but oh no you can’t just add a number. Not even by going to an office or doing a virtual interview. I would think this violates EU law on discrimination. If you live in the UK post-Brexit it’s now totally impossible, I believe (since you aren’t even allowed to make a new account).
Holder of Dutch passport here. I created a DigiD account from France, using a French phone number.
You plan a video conf using their web app, connect at the right time, and show your passport when asked.
As an aside, I login without using their app, as my Android phone does not support Google Play.
Don't know what happens if you don't have a dutch passport though. I guess they are under no obligation to render services to people that are neither citizen nor national.
A bit like when I got married and the French state wanted proof that I wasn't already married before, during the period I had lived in the UK. The UK services wouldn't give me the time of day, since I was neither British nor living there. I ended up getting an official looking note from the Dutch embassy to the UK, stating that "to the best of their knowledge I wasn't married" =)
Create - from the EU - yes. As I said: you cannot add to existing that you already use extensively. And not create new from outside EU. That’s what makes it so shambolic. They clearly have the ability to both do it technically and to verify appropriately.
No problems using similar UK services for EU citizens I know, nor non-EU. Usual bank/address shenanigans at the start, but no issues with government gateway etc.
After moving to the States and losing my Dutch mobile number I was also not able to use it for more than 10 years.
During covid the government provided an ability to schedule a zoom call to verify identity remotely and set up Digid with a foreign number so I finally have it.
It's slightly easier on-device (where the app runs), still try opening your government messages inbox, that takes 5 taps/screens/faceID and a code. It always works though, and one does not use it very often.
I do appreciate that they keep is so secure (or perhaps I should say, not logged in by default). It works well in general imho.
I have dozens of 2FA codes now that requires searching for the correct one and I have to store backup codes in physical form. Which probably a lot of people keep unencrypted on their desktop somewhere.
With the Digid app you just need to remember the pin code or unlock with face id.
The app generates the codes for each login and then you just scan the QR. It's very simple to use.
Recently I lost my phone and had to set everything up again. I had to start digging for 2fa backup codes, but Digid I could easily set up again using the NFC chip in my passport.
> On desktop, you use pin, type code, then scan. I find the flow quite smooth.
I find the constant back and forth between devices annoying. 2FA is already annoying because you have to switch from desktop to mobile and back, but that can't be helped. There's no need to make it 6 times, though:
desktop (on site) -> mobile (start app + pin) -> desktop (fill in code) -> mobile (get camera) -> desktop (scan QR) -> mobile (press allow) -> desktop (continue on site)
The company making this clearly doesn't want to open up development, this code was released because the government was forced to. They stripped the commit history and some hard coded details and I don't think they'll develop on this repo either.
Some extra eyes on the current code might fix some small issues, but I doubt this is going to improve the app much.
It's pretty pathetic how many people feel the need to dunk on this bit of code just because it's not how they would write it. There's nothing really wrong with it. I'm sure the author was aware of alternative, perhaps more concise solutions using a string builder but they chose to be clear instead.
I'm pretty sure they weren't because of the redundant conditionals which simply defy logic. If there was only one check for every if statement, honestly I could give this a pass since it's at the very least simple, but by adding one extra redundant check for every statement you just created 9 new places where a bug could appear.
Furthermore, using Unicode characters to represent progress is the true smell here. There simply are better ways to do this.
In the grand scheme of things, does it matter? No. But this is Hacker News LOL, someone has to discuss it.
If I had to show a progress bar for less than a second in a screen the user will only open up once per 10 years (it's NFC code for scanning passports/ID cards), I wouldn't bother writing a reusable custom progress bar component either.
Sure, you can do it better, but why would you? There are other, more pressing issues in this code (that probably also don't warrant spending extra time on refactoring).
Those redundant checks are highlighted in every IDE I can think of. I can only assume they're there for readability.
It has almost twice as many comparisons as necessary. The term to the left of each AND is redundant because it has already been checked by the preceding IF. It also does not guard against negative arguments. Perhaps the environment in which it is used guarantees that negative arguments cannot occur.
If I were reviewing this code I would at least ask the developer to add an assertion or contract requiring that the argument be in the inclusive range [0..1]
The choice of variable name, percentage, is also misleading. At least I suspect it is because I would expect the comparisons involving percentages to be to numbers between 0 and 100.
If lack of allocations is a requirement then one could create a static array of strings and use
int(percent * 10)
as the index. This would eliminate all of the comparisons and also throw an index out of range (in any sane language) if the value was outside the allowed range.
If you have int(percent * 10) + 1 you can just generate that many blue circles (checking for the edge-case of zero, or even better using ceil instead of int), the rest white and return it - no need for manually crafting the array (since the performance is, I presume, not a critical thing here). If tomorrow you want stars instead of the circles you just edit 2 chars in one place, instead of typing manually all combinations.
The compile time allocated array is to avoid allocations at run time, if that is a requirement. In a language with proper macros such as Nim or Lisp this can be done at compile time using exactly your approach. That way it executes fast and is just as simple .
I've been looking into nim lately (just for fun with the Advent of Code problems) and it looks fantastic. I plan to allocate more time to it in future definitely.
Having a separate string for each level of progress also lets you do other kinds of customizations: you could have a rainbow progress bar, or put little bits of encouraging text to the right of the progress bar, like "Almost there!" at 90%.
Essentially, you're making one type of customization (i.e., changing the symbols) slightly easier, at the expense of making other types of customization harder.
You know it's only a matter of time before someone dissects each one of your objections. In fact you could do so yourself with a bit of a wider perspective.
I think they're all great suggestions (albeit for such a tiny, irrelevant piece of code). The only problem I can think of is that the given code rounds up, but your suggestion of `int(percent * 10)` rounds down.
I vaguely suspect that this is a product of the sort of environment where you have to fill out a form in triplicate to get the static analyser to let you concatenate strings (which, to be clear, may not be inappropriate for something like this).
I do object to the variable being called ‘percentage’ tho, as it clearly isn't one.
I have no idea where all of you got the idea that percentages go up to 100. It's in the name: PER centage, meaning x/100 [0].
For instance if you want 20% that could also be expressed as a fraction such as 20/100, which turns out is the same as 2/10 or 0.2.
I do think they should remove the redundant statements in the conditions and also have an assertion that guarantees percentage to be [0, 1].
> The term "percent" is derived from the Latin per centum, meaning "hundred" or "by the hundred". The sign for "percent" evolved by gradual contraction of the Italian term per cento, meaning "for a hundred". The "per" was often abbreviated as "p."—eventually disappeared entirely. The "cento" was contracted to two circles separated by a horizontal line, from which the modern "%" symbol is derived.
This might be a little more obvious for me since my first language is derived from Latin, but anyhow it still keeps the meaning in english.
20 percent means, literally, 20 per hundred; it's equivalent to 0.2 or 2/10 or 1/5 or whatever, of course, but if `percentage==0.2` then that fairly clearly, on the face of it, should mean "0.2 per hundred", ie 0.2% or 0.002.
It really shouldn't. 20% means _literally_ 20 / 100 so if you need to express that numerically (as you do in code since % is reserved for modulo) you write that as 0.2. That is still a percentage, just in numerical decimal form instead of in the form of a fraction, the value is exactly the same and it didn't stop being a percentage.
If I write 0.2 in a piece of paper and give it to someone and tell them that's a percentage it should be pretty obvious that means it's 20%. If you do the same but you write 0.2% then of course it's 0.2%.
If they really wanted to they could've written the comparison using the numbers as fractions in the comparisons such as percentage < 10/100 which would be perfectly reasonable, but again, that resolves to 0.1, so you might as well right it in decimal form already.
This is likely an effect of translation more than anything. While the Dutch are generally very competent English speakers and writers, their expertise tends to end the conversational level. Anything technical in its conception takes decades of intense every day use to intuit.
Source: native English speaker working in the Netherlands with a team of Dutch people. They are all really smart people, but they tend to err on the side of simple vocabulary when forced to think in English.
I think another cause is that english tends to have simpler sentence structures when compared to dutch in the first place, and dutch folks tend to over-correct towards simplicity when speaking/writing/thinking english.
E.g. this is a perfectly cromulent dutch sentence:
"Vorig jaar zijn we gestart met scholing rondom systeemdenken met als doel de lessen rond begrijpend lezen naar een hoger niveau te tillen en de leesresultaten van de kinderen te verbeteren."
Which when fairly directly translated to english ends up something like:
"Last year we have started with schooling around system thinking with as goal lifting the classes on reading comprehension to a new level and improving the reading results for the children."
which while valid english, isn't very idiomatic -- never mind hard to parse. A native would most likely split this into three or four sentences. E.g.:
"Last year we started with schooling around system thinking. The goal of his is to lift the classes on reading comprehension to a new level. Simultaneously this will improve the childrens' learning results."
I'm triggered by the lack of brackets after every if-expression. Sure it looks nicer this way but the default Visual Studio code style settings will complain if you don't do it, hence I'm used to it.
I've started to remove them from my own code. It's widely mentioned as The Right Way, but I feel the reasons why are obsolete. The stated reason is always that you could forget to add braces when adding a second statement.
That was useful in a time where a text editor was "smart" when it copied your indentation to a new line. But nowadays any tooling will warn you when indentation doesn't match the bracing. The odds of people making that mistake has gone so far down, that the risk is no longer worth the reduced readability.
Technically what is happening behind the scenes is that for most languages the compiler/interpreter will promote the integer to a double to avoid foot guns.
Nevertheless integer comparisons with any kind of floating point is not a wise choice.
The idiomatic way to compare a double would be to take into account whatever is the double precision epsilon for that language. Or just use the greater/less than like they have in the subsequent if statements in the original code snippet.
It’s not, though. To confirm the method works you need to check every single comparison operator and value to ensure the range is bounded correctly. It’s code that stops you in your tracks.
if(percentage < 0 or percentage > 1)
{
// Throw error here
}
Also the checks in the if statements in the linked code are redundant since they simply disregard the previous check, they could simply check if percentage < x instead of checking it's within a range sincs the previous check already proved percentage to be > x - 1/10.
To be fair though, this is the kind of code where "if it's stupid and it works, it's not stupid" applies perfectly. While I would make these changes if I had to approve a PR I wouldn't change this in a live codebase just for refactoring purposes, specially because there are better ways to show progress to a user than using Unicode characters, which I think is the real smell here.
"...This code has been disclosed in response to a request under the Dutch Open Government Act ("Wet open Overheid")..."'
Sounds like it was not voluntary. Also not sure what kind of transparency is expected here, since there is no way to find if the source code published is the same used to build the app. Maybe decompilation is the way to go...
It's semi-voluntary; the request to open source the application came from the Dutch congress/2nd chamber if I recall, but took a while due to private information leaking concerns.
It was released as the result of a Freedom of Information (WOO/WOB) request made by serial "WOBBER/WOOOER" @BugBlauw, check his twitter (use google translate, works well with Dutch).
In order to verify your ID with the app your phone must have NFC support to scan the passport/id, and on the screen where you do the verification it says: if your phone doesnt have support find a friend with a phone that supports it, I kid you not..
How this is used in practice is when you log in to a government site, you provide your DigiD account name and password, and then (often but not always) verify that it's really you with either SMS or (apparently) by scanning a document with NFC. Since it's just a single-use authentication I don't see a particular problem with doing it on another device. The actual government interaction after you're logged in happens on the website anyway, not your friend's phone.
btw I see that attaching an nfc reader to your computer is also supported.
> btw I see that attaching an nfc reader to your computer is also supported.
Theoretically supported, or actually possible?
As it stands, DigiD must be used with either the Android or the IOS app in the 'Substantieel' mode of authenticity verification when accessing health care records. This is likely to be pushed to other uses of DigiD as well eventually.
I didn't get that from the app, I just went to mijn.belastingdienst.nl > "Inloggen op Mijn Belastingdienst" > "Inloggen met DigiD" > "Met mijn identiteitskaart", there you have to choose a device and you can pick either a smartphone or a computer with NFC reader. Didn't verify that it works but since the option is there...
To my memory, the way that works is that there is a second app that you can use to scan document IDs (it's the same one used to transfer ID verification to a non-NFC supported phone actually) and you can scan the document with that and it'll act as a password during the regular login flow.
It does require a separate one-time activation of that specific ID card with the government (a physical letter gets mailed to your address with a code to activate that card on next login), but after that it's mostly painless.
If I'm gonna guess, it's intended for people that for whatever reason can't have a consistent DigiD app to login with (ie. Developer devices that are frequently reset over and over and would lose their regular login).
The 'Hoog' level seems to allow computer-connected readers, though. This should theoretically be a superset of 'Substantieel'. Windows and Mac only, though.
I don't think I've ever used DigiD to verify my passport, I was vaguely aware it had the capability though. On the other hand I use DigiD all the time to login to websites. My health insurance, government websites, etc. Super efficient and simple.
The passport feature is a new one to provide an alternative safer method of verifying ID for the times you need it. It isn't the default use of DigiD and is meant as an alternative to physically taking your passport places.
The passport NFC scan is only intended to authenticate with DigiD once. Basically to connect your DigiD account to "you". In the past this was done by them mailing you a letter with a password in it to your registered place of living.
Access to a smartphone with NFC can indeed be an issue for some people, but it is still better than having to record videos of yourself holding your ID next to your face, then a couple of years later finding out that your personal data is freely circulating on the web because one of those sleezy identity verification services has been hacked.
That's nice, I was under the impression only ApplePay had access to read and write data via NFC. Still no ability to write arbitrary data via NFC, but for the purposes of this app that's good enough.
The limitation is in the other direction, the iphone can’t be read or written over nfc as if it were a tag by an nfc reader (feature is called host card emulation).
It is technically possible but apple makes it very difficult to get the entitlement. When a project I was working on tried to get it (to enable the use case of unmanned sports and library facilities unlocked by swiping the phone instead of a badge), they failed. Apple basically ghosted us. After a while they simply stopped responding to our questions. This is why we can’t have nice things on iphone.
That was the case for a while, but they've allowed other stuff for a bit now. I've been topping up my public transport smartcard with my phone for, er, three or four years now, I think.
I don't know why so many people are saying that this is bad code.
Besides the redundant checks, it's really simple, so simple that an intern, maybe even someone who doesn't code, can understand and update it.
It's performant, most compilers will cache the strings.
People trying to justify more complex one-liners with "what if you change the symbol, or just show 5 characters" etc. These scenarios wouldn't take more than 5 minutes to adapt this code, and anyone could do it.
For me, this code with a good set of tests doesn't get much better.
It's easy to read, simple to maintain, and performant code. Maybe one of those newer switch expressions would make the code even clearer, but they already left the redundant lower bound checks in so I think the way this looks is quite intentional.
Much easier to read than `int count = (int)Math.Floor(percentage / 10); return new String("#", count) + new String("-", 10 - count));` in my opinion and not worth writing a custom progress component for.
I agree; there are things in the code base that I personally dislike (a number of classes which could be decomposed into smaller units) but overall it's pretty good.
I had the honour of being able to review this under NDA before it was made public (pro bono, and limited to static analysis and an hour poking around suspicious looking classes). I've seen a lot of .Net code in my time and this was surprisingly good. Sure there are things which could be improved, but you'll find an order of magnitude more issues in most other code (especially dynamic languages, which are magnets inadvertent issues affecting correctness).
Do you live in Nederland still? You can request the verification via post instead of using your passport. If you lose your DigiD login, you can also create/request another. The account acts as a pointer to your official ID. My wife made a mistake and had to attempt the process 3 times. Not a problem.
Living overseas it took them several yesrs to realize that making a trip to an embassy overseas just to get a registration code was not a feasible way.
Luckily Corona made them realize you can also do it over a Skype call.
They explicitly say it's not intended for reuse, and various stuff has been redacted (though I've not identified any that would stop the code from working). Interestingly you are allowed to reuse the code under the EUPL license.
The interesting aspect of this is that it can be studied to write clients for platforms that are not officially supported -- currently, only Android and iOS are supported, but it'd be great to see a Linux client too.
It's a big shame that history has been rewritten and heavily redacted though. Version control history often has a lot of contextual information that's not immediately obvious in the source code itself.
I dont think self complied version would work with service like belasting etc.
I did not look in depth, but the source code would reveal how thing are getting encrypted and business flows but not the data. That is in the digid's infrastructure
Great so now we can be sure some hacker working at an intelligence agency or criminal syndicate reads this and now knows how to hack DigiD, which is basically the Dutch government's SSO. After you get in you can do all kinds of things like apply for student loans, passport taxes etc. There will be another layer of security but still.. this is not great. Don't get me wrong I am not against publishing source code but they ought to think about what they publish.
I know, that will take some time though as it will need multiple deep reviews before it's released (as it's critical infrastructure and releasing it will increase the visibility).
Overall this will improve the security of the system, if only from the people I've seen offer their time (for nothing!) to ensure that this process is a success.
It's the organization you use if you're sick, lost your job, where you get your social security etc. Basically a huge behemoth of all kinds of social or labor services.
While most of the code probably has little value for others (2000 different repos), I think it's quite noble that it's public, given it's made with tax payer money and serves our people. And when working there I found it quite cool to work in the open, a sense of pride in publishing everything we were doing. Also a bit funny, just checked the project I started 5 years ago: "last updated 42 minutes ago".