[noirscape]

It's also very much not the case; regulators adjusted that part of eIDAS earlier this week - Browsers aren't required to trust these certificates for DNS or HTTPS connections. The law is still in proposal/feedback stage and the lawmakers listened to the complaints.

TLS interception likely was never a seriously intended goal, just a side-effect due to how the law was worded.

[rnhmjoj]

Interesting, what is the purpose then? Do you have a link to the updated text?

[hyperman1]

Afaik they want a digital id card for each person and business, so europeans can legally identify themselves and enter legally valid digital contracts on the web.

[noirscape]

Unfortunately the new text isn't public yet; I'm basing my conclusion on this source: https://epicenter.works/en/content/eu-digital-identity-refor... (which was linked on HN earlier today) and claims that the TLS/HTTPS stuff has been adjusted.

At risk of poorly resummarizing the article:

The real purpose seems to be that the EU wants to regulate customer data collection for online transactions. It's an e-Identity law at its core; the EU wants member states to set up a centralized "Wallet" service that can be used to safely exchange a limited amount of PI for things such as digital transactions.

There's little direct reason for example for say, Hetzner, to have the address data of any of their customers on file - they don't send you any physical mail or anything like that. They have that info mostly because of anti-fraud laws that mandate they store a lot of information with each transaction. With the new Wallet setup, they only have to request what they need and the government can still keep those KYC laws working without you having to store a ton of personal data at a third party.

The QWAC stuff is a part of the law because the way this practically ends up working is that a EU citizen that wants to use the wallet (the process is strictly opt-in; if you don't want to use it, you don't have to) needs to give their approval kinda like how it works with OAuth. QWACs were a harebrained attempt at making it clear to the user that the site they're giving their approval on was actually a real government site.

The original law text forced QWACs to not only be displayed but prevented browser makers from doing the usual security processes to deem if the certificates are safe. The new text seems to address this issue according to the source; QWACs for government sites must still be displayed if approved by the browser (so for government sites you'd still get the green text after the security lock like how it was back in the day when EVs were a thing - this is what the EU really wants out of this law from what I can tell, normal certificates don't give them this assurance - they basically want to tell their citizens "yeah, if you see this text after the padlock, only then you can be sure this is the German government"), but browsers aren't required to forcibly bypass all their security processes to do so, giving them back the control they need against bad actors. Firefox can still choose to block a bad QWAC or restrict the list of QWACs they approve to only a small list of government domains, should they decide the certificate authority is behaving inappropriately.