[g_p]

I believe that the stated/claimed intent is to create cross-country, bloc-wide digital signature interoperability and acceptance standards. The theory being that you can "digitally sign" things with a national ID (e.g. a smart card), and have that recognised anywhere in the EU. That would, in theory, help to reduce and simplify bureaucracy, especially for people moving between countries in the EU (a process which can be quite complex even with freedom of movement, due to totally different cultural norms around government systems, forms, languages, etc.)

Something better than typing your name and trusting a third party to do email verification for a digital signature certainly sounds like it could have advantages for doing business though.

I believe the issues identified here seem to stem from a (very) over-enthusiastic desire to have certificate acceptance everywhere (i.e. prevent discriminating against one country's citizens by excluding their ID card CA), without understanding the different types of trust chains and certificate chains. Presumably scattered with a bit of technical naivety as well. The concept itself is (probably?) fine, as long as it doesn't try to force browsers or SSL verifiers to accept or trust certificates they don't want to.

[jruohonen]

Indeed: the goals are justifiable and very much welcome, in my opinion. Yet, I do not understand what CAs and the global TLS/PKI ecosystem have to do with the goals.

[Jensson]

> Yet, I do not understand what CAs and the global TLS/PKI ecosystem have to do with the goals.

Technically that is also digital signing. The regulators probably thought that all kinds of digital signing should be included in this bill and just slapped something down for browsers while they were at it.

[g_p]

My guess is that someone saw the value (rightly) in being able to do "good" digital signatures on the web (better than docusign in terms of integrity/proof), and that meant (in their head) those certificates have to work in the web browser.

Which, if you don't understand web trust and PKI, means a bit of searching online will tell you that you need your browser to trust the CAs you use for digital signatures.

Which is of course not true - you can (and should) present an "untrusted" (i.e. not a server authentication) certificate as your client certificate or for signatures, as there's different trust bits and use-cases for different kinds of certificates.

[darkarmani]

Oh! That is a good way to conflate the issue. "It's for signing and verification."

That definitely has almost nothing to do with TLS and browsers. Why does my browser need to verify national ID cards? (no need to answer that)