[kmeisthax]

Currently the default trust list in your browser is solely decided by your browser. More specifically there's an organization called the CA/Browser Forum where all the browser vendors are. If you want to become a CA today, you go to the Forum, submit your proposal, and then the browser vendors decide whether or not you're trustworthy. If a CA misissues certificates or otherwise screws up security, that evidence goes to the Forum and then browsers decide how to deal with that CA. Notably, in the worst case scenario, the browser developers can and have decided to completely distrust an entire CA, completely destroying their business. This has happened multiple times.

eIDAS changes this by, effectively, creating a special EU government analogue to the CA/Browser Forum. All browser developers in the EU have to trust eIDAS's CAs. This is a transfer of power from a voluntary industry consortium to appointed EU technocrats.

All those existing government CAs are currently audited by CA/B. If Greece gets caught misissuing certificates they can have their CA roots revoked by the browser vendors. The concern is that under eIDAS, the EU could just not revoke the certificate, and the browser vendors' hands would be tied. They'd be forced to accept known bad CAs and every cert they sign, including the spyware ones.

[lmm]

> eIDAS changes this by, effectively, creating a special EU government analogue to the CA/Browser Forum. All browser developers in the EU have to trust eIDAS's CAs. This is a transfer of power from a voluntary industry consortium to appointed EU technocrats.

The flipside is that while it may be a "voluntary consortium", all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters etc. (and, more insidiously, US social pressure). When the next Snowden-style revelation comes out, what's to stop the US security apparatus from blocking sites associated with it? So yeah, I see more upside than downside in my browser having at least some accountability to the EU.

> All those existing government CAs are currently audited by CA/B. If Greece gets caught misissuing certificates they can have their CA roots revoked by the browser vendors. The concern is that under eIDAS, the EU could just not revoke the certificate, and the browser vendors' hands would be tied. They'd be forced to accept known bad CAs and every cert they sign, including the spyware ones.

I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority, just like you can't refuse to accept a Greek passport because you think it looks dodgy or you've never heard of Greece. If their government is issuing bad certificates, normal government accountability mechanisms apply, just like with countries that are known to sell citizenships to the wealthy. Again that seems right and proper.

[JoshTriplett]

> all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters

Those browsers are Open Source. (Well, Firefox is, and Chrome's core is even though Chrome isn't). If they tried to ship a MITM-enabling mechanism it'd be obvious.

> I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority

They're not the authority for arbitrary domains on the Internet, no. Only domains that have requested a certificate through that CA. This is what Certificate Transparency is for. If a Certificate Transparency log shows a CA (governmental or otherwise) issuing a certificate for somecompany.example, and the entity controlling somecompany.example didn't request that certificate, that CA has some explaining to do, and if the answer isn't "here's exactly what happened and how we'll make sure it can never happen again", the likely outcome is that browsers will stop trusting that CA.

The point of CT is that you can't silently issue MITM certificates without permanently burning an entire CA to do it.

[lmm]

> If they tried to ship a MITM-enabling mechanism it'd be obvious.

A straight up blocklist wouldn't be though. Just treat it like a CRL entry or something.

> They're not the authority for arbitrary domains on the Internet, no.

Agreed. But they're the authority for Greek domains. If anything, it's letting some other entity issue certificates for those that's strange.

[negidius]

EU governments will be even more subject to pressure from the US. I don't understand how anyone could doubt they will comply with every request from the US government.

The difference is that the current decision makers only have power because other people trust them voluntarily. That makes them accountable, and it means a whistleblower can do much more to limit the damage by leaking the fact they are giving after to US pressure.

A government can impose its will by force, so it is much less accountable and doesn't have to worry about the consequences of its decisions nearly as much. There is nothing I can realistically do if I object to a decision by a government unless I'm a large political donor because governments don't need my consent to operate.

[lmm]

> the current decision makers only have power because other people trust them voluntarily.

Not really. Plenty of EU citizens don't trust Microsoft, Google or Apple. But there's no practical alternative. The government of an individual EU country has a lot more accountability than that.

[negidius]

They can install an open-source OS/browser and ignore Microsoft, Google, and Apple. There is nothing they can realistically do when they don't trust a government.

Governments ultimately derive their power from their ability to impose their will by violence. That makes them inherently less accountable than organizations that you are free to ignore.

[lmm]

Someone who doesn't trust a government can move countries, particularly in the EU. I'd argue that it's actually easier to avoid a given EU government than to use an OS/browser combination that's not controlled by US entities.

[negidius]

That's frankly ridiculous. Moving countries is expensive, and there are a limited number of countries in the EU and the world. If you can't afford to move or don't trust any of them, you are out of luck.

Installing an open-source OS and browser is free and the options are practically unlimited as anyone is free to create a new alternative.

[ko27]

> This is a transfer of power from a voluntary industry consortium to appointed EU technocrats

Or a transfer of power from US-centric companies to actual sovereign bodies. I don't want to live in a cyberpunk world. This sounds good to me. Note that browsers are still allowed to remove them if they are compromised.

[nonethewiser]

> Or a transfer of power from US-centric companies to actual sovereign bodies.

Why are your characterizing the CA/Browser forum as US centric companies? Its a collection of certificate issuers from all over and notably includes European Accredited Conformity Assessment Bodies’ Council and the European Telecommunications Standards Institute.

[Vinnl]

The thing is that you can currently choose which org to give that power, and at least so far, those orgs have acted in line with wanting you to choose them (i.e. on your behalf).

[lmm]

Can you though? The loose consensus model means there's little accountability and no practical way to opt out of listening to a particular entity that you don't trust. There are tales of essentially "someone with an @google.com email" being able to tell a CA to stop issuing certificates to particular undesirables, and the CA complying.

[Vinnl]

You can, to a limited extent. If e.g. Google were to start censoring news.ycombinator.com by blocklisting its CAs, I could switch browsers to view it anyway. (Or vice versa, if there's a big security issue and one browser (who still trusts the relevant CAs) was vulnerable and another one was not, I might then consider switching browsers.)

[lmm]

> If e.g. Google were to start censoring news.ycombinator.com by blocklisting its CAs, I could switch browsers to view it anyway.

You could if it got to that point, but the CA would almost certainly "voluntarily" stop issuing certificates to news.ycombinator.com rather than face the risk of being blocklisted, and there's no way for you to opt out of that.

[Vinnl]

Hmm yeah that's a good point, not much you can do about that as a user.

[foota]

It's pretty much an open forum, you can go and read discussions where they've removed CAs. It's more oriented around the individuals than the companies.

[dataking]

A reasonable concern here is that power is transfered from subject matter experts to technocrats with a poor track record of making technical decisions. Some recent examples of EU tech debacles include Quaero, Galileo, Gaia-X, Ariane 6.

[SiempreViernes]

On the other hand, the technocrats are beholden to actual elected officials, instead of the current situation where a group of random people selected by private companies coordinate their work by consensus without much formal structure and the members are beholden to nobody by their company boss.

[AnthonyMouse]

Rule by consensus is basically democracy by whoever is motivated enough to show up. It seems to have an extremely good track record, especially compared with rule by central bureaucracy.

The exception is if the consensus is only among a small handful of large corporations that lack competition and then become the unaccountable technocrats. But in that case what you want from governments is not to take over as the malevolent bureaucracy, it's antitrust enforcement.

[negidius]

And those elected officials are beholden to the highest bidder. In the current system, the people who make CA decisions acquired that power voluntarily and seem to have acted benevolently in the past, that's way more than you can say about government officials.

The current voluntary system is also very open, and anyone can get involved and participate to a much larger extent than people realistically can in an electoral democracy. To me, the voluntary system seems to be better and safer for everyone who doesn't have a very large amount of money to throw at elections.

[throwaway473825]

What's your concern with Galileo? Many experts consider it to be the best GNSS currently available:[1]

> The US constellation isn’t as accurate as the newer networks, said Roberts, the Sydney-based professor. “It used to be GPS was out in front,” he said. Now, though, the EU’s Galileo is in the lead, with China’s BeiDou close behind, he said.

[1] https://www.bloomberg.com/news/articles/2023-09-20/russia-s-...

[dataking]

Thanks for backing up your point with a link. I agree that Galileo is more accurate than the much older GPS system. On the other hand, the GPS system became fully operational in 1995 as far as I understand, and the Galileo system is yet to be fully operational almost a decade after the original target date.

[izacus]

And big EU tech successes like GDPR, DMA and many others. What's your point?

This is about identity regulation, not random rockets.

[negidius]

I certainly wouldn't call those successes.

[Xymist]

I would far rather have things decided by US-centric companies than even somewhat influenced by France and Germany. At least the former have comprehensible motivations.

[danielheath]

Browsers are allowed to ask permission to remove them if they are compromised.

They still have to receive that permission before they can do it.

[dataking]

I believe it is well understood by now that users tend to ignore security warnings; anyone serious about computer security will not accept this as a solution. We don't even apply security-critical patches reliably.

[danielheath]

Lately I've found browsers no longer let me click past SSL errors (at least, not without digging deep through the settings panel first).

[rad_gruchalski]

Sovereign-my-ass when they can issue any cert and mitm anything without any recourse.