[Jensson]

Maybe browsers shouldn't hardcode those things? If they let you blacklist CAs you could do that yourself or via a plugin. There is nothing preventing browsers from implementing that, and have a one click button "don't trust compromised CAs". Could even had that during install as a toggle, would satisfy every legal requirement.

If this means users gets more power over what CAs to trust then that is a good thing.

[isilofi]

You can manually distrust hardcoded CAs in all common browsers. But even now, this is rarely used because it is tedious, there are roughly a hundred active CAs.

And depending on how that law will be interpreted by courts, manually distrusting might be considered illegal.

[Jensson]

> manually distrusting might be considered illegal

It is just a display change, all the law says is:

"For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner."

I don't see how adding a warning icon or block icon instead of the lock hurts would be banned. To me it seems like so much here is based on baseless assumptions.

[isilofi]

No, manually distrusting will probably be considered illegal. "Browsers shall ensure", no exceptions: https://news.ycombinator.com/item?id=38109691

I would also urge you to refrain from using terminology such as "baseless assumptions" when your own assumptions are so easily refuted by directly reading the text of the proposal.

[mjan22640]

I as an user decide what is user friendly to me.

[g-b-r]

to me at this point it seems like you're trying to defend this law a-priori...

[nulld3v]

> If this means users gets more power over what CAs to trust then that is a good thing.

Do you really think your average user is going to go into the browser and manually distrust root CAs? We have learned again and again that good security is "secure by default", not "secure after arcane configuration".