[Jensson]

> This is still very bad.

Yes, potentially, but it isn't "another kind of chat control".

[g-b-r]

It's another side of the efforts of going around encryption, chat controls deals with communication services, this one with browsers

[Jensson]

But this doesn't force browsers and sites to use weak encryption. It is very different.

[g-b-r]

This forces browsers to accept all the CAs approved by the EU states, and you can be certain that some of them will be used for decrypting (and if needed modifying) the traffic

[Jensson]

And then you can just tell the browser to not trust those CAs and you are safe. This is nothing like "chat control". This only lets the government spy on people who don't care if the government spies on them.

[yaris]

IIRC one cannot tell the browser to not trust root CAs, that's why all the fuss.

[Jensson]

Why shouldn't you be able to do that? Seems like a simple thing to implement. I get why they want a hardcoded list, but I don't get why you can't add a way to block parts of that hardcoded list.

[no_time]

Luckily, I never said anything like this anywhere.

[raverbashing]

Yes, I agree. The crying wolf is too much sometimes.

Accepting certificates from a given issuer does not give them the issuer the right to impersonate others

[g-b-r]

All root CAs can issue certificates for any site (except those with CAA records etc.)