|
|
|
|
|
|
by jruohonen
965 days ago
|
|
|
From: https://data.consilium.europa.eu/doc/document/ST-14959-2022-... Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services." Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State". Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States." |
|
|
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.