[rnhmjoj]

This claim that eIDAS is an attempt to intercept TLS and spy on citizens has been repeated over and over this week without any basis and I'm getting sick of it. I don't understand why everyone immediately assumes bad faith here when it's much more likely that this is just a botched article written by someone who has not had to deal with the intricacies of the web PKI.

Do you seriously think the intent here is to allow, say, Italy to issue a certificate and spying on german citizens? Or maybe it is to make sure italian citizens (regardless of browser vendor) can access the social security website without getting a scary warning message?

[alkonaut]

Intent is important if you are attacking the character of the legislator. If we are criticizing the legislation itself then it's the effect of it we should be focusing on.

As in "what's the worst outcome that can come from this piece of legislation, assuming malicious intent from the person wielding this law in the future". If the answer to that is "uh, not good" then the legislation is bad.

[SenAnder]

> Do you seriously think the intent here is to allow, say, Italy to issue a certificate and spying on German citizens?

This legislation allows and enables it, regardless of intent.

[rnhmjoj]

But that does not mean "Europe ready to intercept, spy..." or "EU Tries To Slip In New Powers To Intercept Encrypted Web..." as these articles are claiming.

[SenAnder]

> Europe ready to intercept, spy

That is what this legislation would enable, so this is accurate.

> EU Tries To Slip In New Powers To Intercept Encrypted Web

Again, that is what this legislation would enable, so this is also accurate.

[noirscape]

It's also very much not the case; regulators adjusted that part of eIDAS earlier this week - Browsers aren't required to trust these certificates for DNS or HTTPS connections. The law is still in proposal/feedback stage and the lawmakers listened to the complaints.

TLS interception likely was never a seriously intended goal, just a side-effect due to how the law was worded.

[rnhmjoj]

Interesting, what is the purpose then? Do you have a link to the updated text?

[hyperman1]

Afaik they want a digital id card for each person and business, so europeans can legally identify themselves and enter legally valid digital contracts on the web.

[noirscape]

Unfortunately the new text isn't public yet; I'm basing my conclusion on this source: https://epicenter.works/en/content/eu-digital-identity-refor... (which was linked on HN earlier today) and claims that the TLS/HTTPS stuff has been adjusted.

At risk of poorly resummarizing the article:

The real purpose seems to be that the EU wants to regulate customer data collection for online transactions. It's an e-Identity law at its core; the EU wants member states to set up a centralized "Wallet" service that can be used to safely exchange a limited amount of PI for things such as digital transactions.

There's little direct reason for example for say, Hetzner, to have the address data of any of their customers on file - they don't send you any physical mail or anything like that. They have that info mostly because of anti-fraud laws that mandate they store a lot of information with each transaction. With the new Wallet setup, they only have to request what they need and the government can still keep those KYC laws working without you having to store a ton of personal data at a third party.

The QWAC stuff is a part of the law because the way this practically ends up working is that a EU citizen that wants to use the wallet (the process is strictly opt-in; if you don't want to use it, you don't have to) needs to give their approval kinda like how it works with OAuth. QWACs were a harebrained attempt at making it clear to the user that the site they're giving their approval on was actually a real government site.

The original law text forced QWACs to not only be displayed but prevented browser makers from doing the usual security processes to deem if the certificates are safe. The new text seems to address this issue according to the source; QWACs for government sites must still be displayed if approved by the browser (so for government sites you'd still get the green text after the security lock like how it was back in the day when EVs were a thing - this is what the EU really wants out of this law from what I can tell, normal certificates don't give them this assurance - they basically want to tell their citizens "yeah, if you see this text after the padlock, only then you can be sure this is the German government"), but browsers aren't required to forcibly bypass all their security processes to do so, giving them back the control they need against bad actors. Firefox can still choose to block a bad QWAC or restrict the list of QWACs they approve to only a small list of government domains, should they decide the certificate authority is behaving inappropriately.

[philprx]

You obviously didn't have to deal with the misuse of security, "for the children" pretext for interception, and crypto scare attempts...

Yes, there are too much ill conceived attempts against security that in the end will hurt everyone. It's disappointing to see it coming from EU.

[illiac786]

I agree actually. Which data exactly will be transported over TLS connection secured by these certs? Who said it has to be the entire HTTP traffic, why not just the traffic required for authentication? It seems very vague at the moment...