|
|
|
|
|
|
by fweimer
965 days ago
|
|
|
But it doesn't enable covert surveillance. Even without Certificate Transparency, the change in server certificate is visible to the client. Initiatives like Let's Encrypt could make it visible to server operators, too. The browser UI will present those new qualified certificates and existing certificates differently anyway, so I'm not sure if this is going to work. The bigger issue is that for this in order to work at all, the regulation must have provisions for issuing fake assertions of existing identities to law enforcement and other security services. The predecessor didn't seem to have that. This is different from providing fake identification documents for undercover operations because as far as I understand it, those use are usually mostly made-up and do not impersonate another person. We would have to read the actual text of the proposed regulation to know the details, but both sides (legislators and those fueling the outrage machine) do not really want us to form our own opinion and hide the draft text from us. |
|
|
Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings.
Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs!
The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!".
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.