ww 🩶
@ww@xyzzy.link
https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng#045.001
45.1. Qualified certificates for website authentication shall meet the requirements laid down in Annex IV. [...]
45.1a. Qualified certificates for website authentication issued in accordance with paragraph 1 of this Article shall be recognised by providers of web-browsers. Providers of web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. [...]
45.1b. Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1.
this is the law that's been passed and should be in power now? the eu wants to force web browsers to:
- trust eidas certificate authorities
- revert to prominently displaying extended validation data
- not require certificate transparency on european certificates!!!!
the practical implications:
- any eu state can issue a valid certificate for any website
- it is illegal for a browser vendor to reject it
- without certificate transparency, it would be undetectable; even if there's an eu-wide registry (is there?), nothing stops them from not adding the cert to it (whereas ct is enforced)
- this enables mitm at the isp level across the eu; basically eu countries can view any of their residents' browser traffic if they want
please tell me i misunderstood the law?
