- cross-posted to:
- hackernews@derp.foo
- cross-posted to:
- hackernews@derp.foo
EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…
No it hasn’t, not even slightly.
The latest text has not yet been released, but when it is you will see a separation between Identification and Encryption. It is also clearly stated that browsers are allowed to do whatever they want regarding recognition of CAs for encryption. tl;dr the status quo for encryption (linking a domain to a server) does not change, browsers will only be forced to recognise identity (linking a organisation to a server). This will force a re-engineering of QWACs/EV certs in general in favour of something like ntqwacs.