[Jensson]

eIDAS exists since there are many conflicting standards for electronic certificates. eIDAS is an effort to unify those standards. Maybe the clause where they say browsers has to add specific CA's is for spying, but eIDAS in general isn't to help spying its just there to help unify all the different electronic certificate services in EU.

For example banking, signing official documents like grades from school etc, all of those usecases are a part of eIDAS. That is the core of the standard and there you really want to see all the certificate information to be sure it is the right origin, since unlike browsers there is no list of trusted CAs, you just see that some organization accepted it.

Edit: Browsers already had their own standard that they think is better than eIDAS, so they don't want this to apply to them. But Occam's razor says that EU just added "and browsers should also do this" instead of there being some conspiracy behind it, it was simple to just add everything instead of leaving just browsers out.

[ngrilly]

> eIDAS exists since there are many conflicting standards for electronic certificates. eIDAS is an effort to unify those standards.

Did we need laws to "unify" all the standards we successfully use today, like IP, UDP, TCP, HTTP, TLS, Certificate Transparency, HTML, ECMAScript, CSS, DNS, DMARC, DKIM, SSH, etc.? Laws are not the right tool for this. And law makers don't have the necessary expertise.

[sshine]

It’s either laws or market forces, both have drawbacks.

While eIDAS seems like a great idea to coerce member states into adopting a common standard, it just also happens to sneak EU-centralist ideology in, and total digital surveillance is the 0th application of that ideology.

The big catch with EU is: once you opt in, opting out is very difficult.

[troupo]

There are also great many standards we use today that were unified and enforced through laws.

Open any law on produce, construction, cars, industrial equipment (and a million others), and you'll find thousands of specs and standards mandated by law, and for a reason.

[Serenacula]

I think ECMAScript my actually be a counter example, no? Isn't that also governed and funded by the European council?

[smarnach]

There definitely isn't a law mandating Javascript engines to follow the Ecmascript standard, which would be the equivalent of what's happening here.

[supriyo-biswas]

> Browsers already had their own standard that they think is better than eIDAS

Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.

> "and browsers should also do this" instead of there being some conspiracy behind it

The law isn’t RFC 2119 where there is a distinction between SHOULD and MUST: the law is all about what an entity MUST do, so bringing up “should” in this context isn’t helping the point you’re typing to make.

[Jensson]

I don't get what your point is here, you said this and that is what I argued against, your points here does nothing to defend this: "For anyone who’s about to say that surveillance isn’t the point of this legislation".

> Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.

I didn't say this was subjective. My argument was that it is easy to see why EU would do this without having surveillance in mind. They just wanted all certificates to follow the same standard, the main part of these standards were document signing and they thought web sites are documents so we add them as well to the standard.

> so bringing up “should” in this context isn’t helping the point you’re typing to make.

I didn't make a distinction between should and must there, that wasn't my point at all. What was hard to understand there? This bill is first and foremost about document signing, and then they added a clause that it also applies to browsers. That is the main part of my argument.

A bill that first and foremost targets document signing doesn't seem like it was obviously made to add spying on browsers, if that is what they wanted they would have labeled it "web protection bill" or something like they did with the chat one, they aren't afraid of saying it is about spying when that is what they want.

[miohtama]

More healthier approach for the EU to get e.g. the document signing to a single standard would be

- Make sure there is an open standard (is there?)

- Fund and promote its open source development

- Have an industry lobbyist non-profit to onboard individual businesses

If the goal is to ”promote standards” the way this is being done does not seem to be aligned the 50 years of software industry standard development, with the examples like TCP/IP, PNG, AV1 and so on.

[logifail]

> signing official documents like grades from school

I have no Earthly idea why a) this needs to be done digitally, or b) for the EU to be involved (at EU level) with this.

Unfortunately if you pitch mission creep vs the principle of subsidiarity, the former wins every time.

[willeh]

University grades are standardised already. This is useful because it allows people to work in other countries, digitally signing them prevents fraud.

This is just one use case for eIDAS, then you have things like interacting with different government institutions, banks, et cetera, et cetera.

There are a lot of people who live in/work/visit other EU countries as is their near absolute right. We should therefore standardise technology on the EU level to make their lives easier.

[logifail]

> University grades are standardised already

... for some value of "standardised"?

UK[0]: First, 2:1, 2:2, Third

Germany[1]: 1 to 5

France[2]: "on a scale from 0-20"

<chuckle>

[0] https://www.imperial.ac.uk/students/success-guide/ug/assessm... [1] https://www.uni-passau.de/en/international/coming-to-passau/... [2] https://u-paris.fr/en/higher-education-in-france/

[willeh]

Since you obviously ignorant of how it works. When you get a degree you get a transcript where all local grades are translated to to ECTS, which you then would use to apply for jobs. Of course in the tech industry grades or even whole degrees are generally disregarded but in finance and other fields they of course, are.

https://en.wikipedia.org/wiki/ECTS_grading_scale

[logifail]

> When you get a degree you get a transcript where all local grades are translated to to ECTS, which you then would use to apply for jobs

https://www.google.com/search?q=%22job+application%22+%22ECT... gets me only a handful of results and a warning that 'It looks like there aren't many great matches for your search'

Do (m)any European employers know about this scheme?

[_tk_]

Job applications in Europe typically list a degree that is required, rarely the score that an applicant is expected to have received. Nonetheless, ECTS scoring is nowadays awarded to every degree that is obtained in a country that is a signatory to the Bologna accord. To answer your question, it is an established standard.

https://en.wikipedia.org/wiki/Bologna_Process#Signatories

[yorwba]

The diploma comes with an explanatory supplement (at least mine does), so employers don't really need to know about it, they just need to read (and maybe they won't do that).

[nulld3v]

Great, very good! Now if you want to standardize encrypted communication, please do it with the help of security researchers, not like this.

[willeh]

Other than this questionable browser CA thing, do you think there are any specific flaws with the crypto system presented in eIDAS.

[nulld3v]

Alright, so I am not a security researcher so actual security researchers may not share my views. Also, as mentioned in the site, the full text of the new regulation is not public yet. And finally, I have only skimmed whatever text is available given that it's over 100 pages and I skipped over most of the EDIW stuff (it's a really complex system that I can't understand/audit in 20 mins).

But with that out of the way, no I don't have any other complaints, I think the regulation is generally a move in the right direction.

[hulitu]

> since unlike browsers there is no list of trusted CAs,

This Trusted CA is such a lie. I mean we all know that Google, MS etc does ugly things with user data but apparently we have no objection to trust them with cryptography.