[fuoqi]

If certificates issued by those CAs will be tied to independent (from EU) certificate transparency (CT) services and to specific national top-level domains, then I am completely fine with this. After a big number of websites in Russia (including the biggest bank in the country) have effectively lost access to the CA infrastructure used by commonly used browsers, I don't think any honest person can say that the current status quo is robust enough. So it looks like EU simply hedges against this potential infrastructure risk.

To mitigate the MitM risk I believe that CT and limiting CA to specific top-level domains (so a hypothetical RU CA would not be able to issue certificates for .eu or .com) should be sufficient enough.

[eps]

Re: Russia - SberBank, which is used by the vast majority of population, voluntarily switched to a new Russian government-controlled CA. This move aimed to coerse people to install this CA's cert under false premises and to let the state splice https if needs be. The goal was bloody obvious and it has never been about the "robustness" of infrastructure. They just want to take away people's Internet privacy.

[fuoqi]

I hope you are simply not familiar with the situation and not FUDing around.

The "false premise" was that GlobalSign has refused to issue new certificates for Sberbank and there were several cases of CAs revoking existing certificates. They eventually have found a CA (Harica DV) which was willing to issue new certificates, but it was not clear at the time that such CA will be found and the new certificates can be revoked at any moment after a new wave of sanctions or simply after a strongly worded warning from Washington or Brussels. Relying on a relatively minor Greek CA for bank operations is clearly not a good strategy in their situation.

[nulld3v]

Leaving a source for other readers: https://www.bleepingcomputer.com/news/security/russia-create...