[ko27]

> This is a transfer of power from a voluntary industry consortium to appointed EU technocrats

Or a transfer of power from US-centric companies to actual sovereign bodies. I don't want to live in a cyberpunk world. This sounds good to me. Note that browsers are still allowed to remove them if they are compromised.

[nonethewiser]

> Or a transfer of power from US-centric companies to actual sovereign bodies.

Why are your characterizing the CA/Browser forum as US centric companies? Its a collection of certificate issuers from all over and notably includes European Accredited Conformity Assessment Bodies’ Council and the European Telecommunications Standards Institute.

[Vinnl]

The thing is that you can currently choose which org to give that power, and at least so far, those orgs have acted in line with wanting you to choose them (i.e. on your behalf).

[lmm]

Can you though? The loose consensus model means there's little accountability and no practical way to opt out of listening to a particular entity that you don't trust. There are tales of essentially "someone with an @google.com email" being able to tell a CA to stop issuing certificates to particular undesirables, and the CA complying.

[Vinnl]

You can, to a limited extent. If e.g. Google were to start censoring news.ycombinator.com by blocklisting its CAs, I could switch browsers to view it anyway. (Or vice versa, if there's a big security issue and one browser (who still trusts the relevant CAs) was vulnerable and another one was not, I might then consider switching browsers.)

[lmm]

> If e.g. Google were to start censoring news.ycombinator.com by blocklisting its CAs, I could switch browsers to view it anyway.

You could if it got to that point, but the CA would almost certainly "voluntarily" stop issuing certificates to news.ycombinator.com rather than face the risk of being blocklisted, and there's no way for you to opt out of that.

[Vinnl]

Hmm yeah that's a good point, not much you can do about that as a user.

[foota]

It's pretty much an open forum, you can go and read discussions where they've removed CAs. It's more oriented around the individuals than the companies.

[dataking]

A reasonable concern here is that power is transfered from subject matter experts to technocrats with a poor track record of making technical decisions. Some recent examples of EU tech debacles include Quaero, Galileo, Gaia-X, Ariane 6.

[SiempreViernes]

On the other hand, the technocrats are beholden to actual elected officials, instead of the current situation where a group of random people selected by private companies coordinate their work by consensus without much formal structure and the members are beholden to nobody by their company boss.

[AnthonyMouse]

Rule by consensus is basically democracy by whoever is motivated enough to show up. It seems to have an extremely good track record, especially compared with rule by central bureaucracy.

The exception is if the consensus is only among a small handful of large corporations that lack competition and then become the unaccountable technocrats. But in that case what you want from governments is not to take over as the malevolent bureaucracy, it's antitrust enforcement.

[negidius]

And those elected officials are beholden to the highest bidder. In the current system, the people who make CA decisions acquired that power voluntarily and seem to have acted benevolently in the past, that's way more than you can say about government officials.

The current voluntary system is also very open, and anyone can get involved and participate to a much larger extent than people realistically can in an electoral democracy. To me, the voluntary system seems to be better and safer for everyone who doesn't have a very large amount of money to throw at elections.

[throwaway473825]

What's your concern with Galileo? Many experts consider it to be the best GNSS currently available:[1]

> The US constellation isn’t as accurate as the newer networks, said Roberts, the Sydney-based professor. “It used to be GPS was out in front,” he said. Now, though, the EU’s Galileo is in the lead, with China’s BeiDou close behind, he said.

[1] https://www.bloomberg.com/news/articles/2023-09-20/russia-s-...

[dataking]

Thanks for backing up your point with a link. I agree that Galileo is more accurate than the much older GPS system. On the other hand, the GPS system became fully operational in 1995 as far as I understand, and the Galileo system is yet to be fully operational almost a decade after the original target date.

[izacus]

And big EU tech successes like GDPR, DMA and many others. What's your point?

This is about identity regulation, not random rockets.

[negidius]

I certainly wouldn't call those successes.

[Xymist]

I would far rather have things decided by US-centric companies than even somewhat influenced by France and Germany. At least the former have comprehensible motivations.

[danielheath]

Browsers are allowed to ask permission to remove them if they are compromised.

They still have to receive that permission before they can do it.

[dataking]

I believe it is well understood by now that users tend to ignore security warnings; anyone serious about computer security will not accept this as a solution. We don't even apply security-critical patches reliably.

[danielheath]

Lately I've found browsers no longer let me click past SSL errors (at least, not without digging deep through the settings panel first).

[rad_gruchalski]

Sovereign-my-ass when they can issue any cert and mitm anything without any recourse.