The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).
Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?
I doubt they care about CT checks per se, they’re just afraid that Digicert fucking up will break their critical government services.
Right… uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!
The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).
Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?
[This comment has been deleted by an automated system]
Right… uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!