Brutkey

ww 🩶🩶
@ww@xyzzy.link
eu destroying pki?

https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng#045.001

45.1. Qualified certificates for website authentication shall meet the requirements laid down in Annex IV. [...]
45.1a. Qualified certificates for website authentication issued in accordance with paragraph 1 of this Article shall be recognised by providers of web-browsers. Providers of web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. [...]
45.1b. Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1.

this is the law that's been passed and should be in power now? the eu wants to force web browsers to:
- trust eidas certificate authorities
- revert to prominently displaying extended validation data
-
not require certificate transparency on european certificates!!!!

the practical implications:
- any eu state can issue a valid certificate for any website
- it is illegal for a browser vendor to reject it
- without certificate transparency, it would be undetectable; even if there's an eu-wide registry (is there?), nothing stops them from not adding the cert to it (whereas ct is enforced)
- this enables mitm at the isp level across the eu; basically eu countries can view any of their residents' browser traffic if they want

please tell me i misunderstood the law?


Jos :donor:
@castillar@infosec.exchange
re: eu destroying pki?

@ww@xyzzy.link It's been an ongoing debate in the PKI community, and one where I weirdly found myself on the side of the browser manufacturers.

Thing is, I can kind of see how the EU got to that conclusion. They believe very strongly in the usefulness of EV certs providing more information than just "this domain is valid", and they were looking to avoid the possibility of QWAC issuers being subject to conflicting requirements when the CABF standards said one thing and the QWAC requirements said another. Sadly, they arrived at the wrong result from it, which is to throw the baby out with the bathwater and then
mandate that no one goes to rescue the baby.

ww 🩶🩶
@ww@xyzzy.link
eu destroying pki?

@EUCommission@shitpost.trade can i get your comment on this

European Commission
@EUCommission@shitpost.trade
re: eu destroying pki?

@ww@xyzzy.link this makes me so horny kgslhdlhd 🥺🥺

European Commission
@EUCommission@shitpost.trade
re: eu destroying pki?

@ww@xyzzy.link this makes me so horny kgslhdlhd 🥺🥺