This is a shit show. People complain a lot about the UK breaking encryption and meanwhile the EU is doing the same, at a higher level without people even noticing.
Here the TL:DR; for anyone unfamiliar with the subject: eIDAS includes a lot of useful stuff but also requires browser to include CA designed by member states. Including a CA means that entity can issue SSL certificates that will be accepted / valid on those browser > this means the countries controlling those CA’s can simply argue “national security” and have those CA’s issue SSL certificates for ANY domain they would like and then use them to launch a man-in-the-middle attack against anyone they would like to. :)
The proposed legislation says that browsers “can’t do adicional validations on the certificates from the CA” (more or less this wording) meaning a simple check CAA DNS check from a browser would be against said legislation.
This is a shit show. People complain a lot about the UK breaking encryption and meanwhile the EU is doing the same, at a higher level without people even noticing.
Here the TL:DR; for anyone unfamiliar with the subject: eIDAS includes a lot of useful stuff but also requires browser to include CA designed by member states. Including a CA means that entity can issue SSL certificates that will be accepted / valid on those browser > this means the countries controlling those CA’s can simply argue “national security” and have those CA’s issue SSL certificates for ANY domain they would like and then use them to launch a man-in-the-middle attack against anyone they would like to. :)
How long before the devs or an extension give us the option to manually distrust CAs?
The proposed legislation says that browsers “can’t do adicional validations on the certificates from the CA” (more or less this wording) meaning a simple check CAA DNS check from a browser would be against said legislation.
Have you been living under a rock