[lmm]

> eIDAS changes this by, effectively, creating a special EU government analogue to the CA/Browser Forum. All browser developers in the EU have to trust eIDAS's CAs. This is a transfer of power from a voluntary industry consortium to appointed EU technocrats.

The flipside is that while it may be a "voluntary consortium", all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters etc. (and, more insidiously, US social pressure). When the next Snowden-style revelation comes out, what's to stop the US security apparatus from blocking sites associated with it? So yeah, I see more upside than downside in my browser having at least some accountability to the EU.

> All those existing government CAs are currently audited by CA/B. If Greece gets caught misissuing certificates they can have their CA roots revoked by the browser vendors. The concern is that under eIDAS, the EU could just not revoke the certificate, and the browser vendors' hands would be tied. They'd be forced to accept known bad CAs and every cert they sign, including the spyware ones.

I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority, just like you can't refuse to accept a Greek passport because you think it looks dodgy or you've never heard of Greece. If their government is issuing bad certificates, normal government accountability mechanisms apply, just like with countries that are known to sell citizenships to the wealthy. Again that seems right and proper.

[JoshTriplett]

> all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters

Those browsers are Open Source. (Well, Firefox is, and Chrome's core is even though Chrome isn't). If they tried to ship a MITM-enabling mechanism it'd be obvious.

> I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority

They're not the authority for arbitrary domains on the Internet, no. Only domains that have requested a certificate through that CA. This is what Certificate Transparency is for. If a Certificate Transparency log shows a CA (governmental or otherwise) issuing a certificate for somecompany.example, and the entity controlling somecompany.example didn't request that certificate, that CA has some explaining to do, and if the answer isn't "here's exactly what happened and how we'll make sure it can never happen again", the likely outcome is that browsers will stop trusting that CA.

The point of CT is that you can't silently issue MITM certificates without permanently burning an entire CA to do it.

[lmm]

> If they tried to ship a MITM-enabling mechanism it'd be obvious.

A straight up blocklist wouldn't be though. Just treat it like a CRL entry or something.

> They're not the authority for arbitrary domains on the Internet, no.

Agreed. But they're the authority for Greek domains. If anything, it's letting some other entity issue certificates for those that's strange.

[negidius]

EU governments will be even more subject to pressure from the US. I don't understand how anyone could doubt they will comply with every request from the US government.

The difference is that the current decision makers only have power because other people trust them voluntarily. That makes them accountable, and it means a whistleblower can do much more to limit the damage by leaking the fact they are giving after to US pressure.

A government can impose its will by force, so it is much less accountable and doesn't have to worry about the consequences of its decisions nearly as much. There is nothing I can realistically do if I object to a decision by a government unless I'm a large political donor because governments don't need my consent to operate.

[lmm]

> the current decision makers only have power because other people trust them voluntarily.

Not really. Plenty of EU citizens don't trust Microsoft, Google or Apple. But there's no practical alternative. The government of an individual EU country has a lot more accountability than that.

[negidius]

They can install an open-source OS/browser and ignore Microsoft, Google, and Apple. There is nothing they can realistically do when they don't trust a government.

Governments ultimately derive their power from their ability to impose their will by violence. That makes them inherently less accountable than organizations that you are free to ignore.

[lmm]

Someone who doesn't trust a government can move countries, particularly in the EU. I'd argue that it's actually easier to avoid a given EU government than to use an OS/browser combination that's not controlled by US entities.

[negidius]

That's frankly ridiculous. Moving countries is expensive, and there are a limited number of countries in the EU and the world. If you can't afford to move or don't trust any of them, you are out of luck.

Installing an open-source OS and browser is free and the options are practically unlimited as anyone is free to create a new alternative.

[lmm]

> Installing an open-source OS and browser is free and the options are practically unlimited

There's what, two and a half real options? Even open-source applications wilfully cut off any non-mainstream OS (see the whole systemd saga). "Anyone is free to create a new browser", sure, but in practice it's now so expensive that even Microsoft had to give up. I've absolutely got more practical choices of country.