Acts and regulations (to use the UK legal parlance) perform different functions. Legislators will write a law (primary legislation) via an Act (of parliament) and powers are delegated to a regulator (or minister) who will then set regulations (secondary legislation) that fit within the power of the Act.
The secondary legislation is the bit that can be updated without requiring a new Act. If EU law is set up in the same manner, (and no doubt it will be similar as not only is this method good when meeting the ideal but useful for corrupt politicians to write law with less scrutiny) then the copy and paste is from secondary legislation. It may well need an update but that doesn't mean it can't be updated in the manner you advocate.
That really brings question will all of those experts be trusted? Or might they be swayed by a hostile party like NSA? So the updated version would be more insecure than the existing one...
It's not even a question of being swayed. I don't know about the process in the UK, but regulation writing is so slow in the US that being FIPS compliant usually means you're actually less secure since you're behind the latest in security.
Because it is not necessary. The actual parties involved know what is meant and intended, so adding some ongoing and constant amendment process is counter-productive.
Speaking from personal experience, it is necessary to update these references, because people implementing them have no choice but to follow the letter of the law. I have worked on govt projects where we had to downgrade to an insecure cipher suite to comply with outdated regulations.
Putting on my govt contractor hat, there may be a business opportunity here to set up VMs running Win95/Netscape Communicator for use by all the civil servants looking to comply with the law. Could charge a pretty penny too - it’ll all get budgeted as “Brexit compliance” costs.
> there may be a business opportunity here to set up VMs running Win95/Netscape Communicator for use by all the civil servants looking to comply with the law.
The text quoted in the linked article in no way mandates the use of Netscape Navigator or Mozilla Mail - it merely references them as being widely distributed software capable of using RSA 1024 and SHA-1 (which it does appear to mandate).
> Speaking from personal experience, it is necessary to update these references, because people implementing them have no choice but to follow the letter of the law.
Because there isn't a Big Book of Industry Best Practices everybody can trivially agree to use?
Sometimes they don't exist - who maintains a sufficiently reputable list of safe email clients and web browsers?
Sometimes they exist but they carry some baggage - the FIPS standards for cryptography are probably fine, certainly better than hardcoding a couple of algorithm names, but they're also controlled by a foreign government.
Best practice most likely wasn't good enough back when the original text was written. But yeah, they should have made it a bit more future-proof, and they definitely shouldn't have copy/pasted the text into new treaties 12 years later.