|
Unfortunately this isn't how it works in practice. Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings. Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs! The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!". Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet. |