This did get posted a few weeks ago at the time it was written but didn't get much traction at that point, yet seems like a reasonably important issue. The EU has done worthy things for issues like privacy, but whatever pluses and minuses of regulating personal and business policy I'm a lot more dubious about government sticking its hand directly into how specific software (like browsers) functions. That seems like a serious step beyond merely trying to ensure there is competition and choice in different products, full disclosure about them, level playing fields etc. Dictating implementation details even for open source feels like something with much, much more scope for serious negative side effects getting baked in particularly in fields where best practices move fast.
A negative security example that comes readily to mind are how bad government policies/standards helped cement for a long time the awful practice of complex password requirements including rapid change requirements, "security questions" and so on. These are actively negative for security, people in the field realized pretty fast (and of course many argued from the start) that the only reqs for passwords should be some minimum length, not using previously exposed ones, and having a sufficiently high maximum length that everyone is free to use more comfortable ones like diceware if they wished. While that has been getting revised at last bureaucracy still moves much too slowly there.
Of course this hasn't made it through the gauntlet and hopefully won't, but I'm glad to see it getting some attention.
I feel similarly about the EU forcing companies to use usb-C as a charging port. I love usb-C, and it is basically a requirement for any electronic I buy. But forcing everyone to use it until the end of time is ridiculous. Imagine if they had done this a few years ago, and the micro-B connector was mandated. We would never have gotten usb-C.
> Imagine if they had done this a few years ago, and the micro-B connector was mandated. We would never have gotten usb-C.
They did, you don't have to imagine it.
In 2009 they've signed a memorandum of understanding with 14 phone companies, which is why micro-B was the standard before type C. Apple was within those that signed it, and used a loophole in the text to ship a lightning-to-micro-B adapter instead.
Around 2016 they've realised micro-B was outdated and notified the signatories that they should switch to type C.
A Memorandum of Understanding is a far cry from the legislation they are trying to push through. A MoU is not legally binding. From your link:
> The recent 582-40 parliamentary vote in favor of a common charging standard came about because the European Commission's previous approach of merely "encouraging" tech companies to develop a standardized solution "fell short of the co-legislators' objectives," according to a briefing on the European Parliament website.
The first phones with USB-C came out in 2015. If this MoU was instead binding legislation, those USB-C phones never would not have been allowed.
Almost as if they've seen a shortcoming with signing just a memorandum of understanding and took it a step further this time around.
> To address the challenges for consumers as well as the environment, the Commission has supported a common charging solution for mobile phones and similar electronic devices since 2009. The Commission first facilitated a voluntary agreement by the industry in 2009 that resulted in the adoption of the first Memorandum of Understanding (MoU) and led to reducing the number of existing charging solutions for mobile phones on the market from 30 to 3. Following the Memorandum's expiration in 2014, a new proposal by industry presented in March 2018 was not considered satisfactory in delivering a common charging solution or meeting the need for improved consumer convenience and e-waste reduction.
I can't speak on behalf of anyone but myself, but when that goal is less e-waste, their goal sure does align with mine, even if it may take me 20 extra minutes to charge my devices when something better than type C comes around.
If I can charge my laptop with it, it's surely good enough for charging devices with a much smaller battery at least for the next decade or so.
Two drawers full of useless USB cables next to me imply so, and that's next to having 6 chargers and cables pretty much everywhere you can sit in my apartment.
But I wouldn't call it significant, I would call it completely unnecessary. I'd really rather buy one when I need it than get one with every single gadget I buy, which is precisely what the EU is trying to achieve.
Oh I'd totally rather just buy one as well, but let's be honest this is a first world problem around convenience, it's not going to put any significant dent in the global e-waste problem.
All the Apple chargers are compatible, and have been for quite a long time. They’ve had a standard USB-A port since at least 2004, and they now have a standard USB-C port.
The only reason to get a new charger is if you need more power, but that’s exactly the same situation as with Android. Where did you get the idea that you had to get new chargers?
Sorry. I don't have time to reply to this comment because I need to find my Motorola charger. The thin long barrel jack, not the older thick short barrel jack one...
> Imagine if they had done this a few years ago, and the micro-B connector was mandated. We would never have gotten usb-C.
But they didn't. These people aren't that dumb, they told companies to settle on a standard, and now that we have a good standard that basically everyone follows they want to make a law to ensure everybody follows it. Bringing up a scenario where they did the right thing and argue "just imagine if they didn't do the right thing here, that would be a problem!" isn't a strong argument.
> What happens when we want better features as new tech is invented?
The new tech would prove itself, somehow, and then the standard changed over after there's evidence that the new tech improves more than the cost of the change!
How would a new tech prove itself if manufacturers aren’t allowed to use it in their product? If customers aren’t allowed to try something new, they are never going to be able to determine if customers prefer it.
The only way to ‘prove’ that a tech is better than another is by letting the market decide.
If basically everyone follows, then why require it and shut off or slow down future innovation? Regulations like this are nearly always obsolete by the time they are implemented.
> If basically everyone follows, then why require it and shut off or slow down future innovation? Regulations like this are nearly always obsolete by the time they are implemented.
Apple doesn't follow it. Also the reason companies settled was that EU threated them with regulations, if they didn't follow through when some companies (Apple) misbehaves it would mean that such threats would lose teeth and wont solve future problems. So if anything the problem here isn't EU, the reason that law is coming is Apple. Best possible scenario is that companies dynamically create new standards and fall inline, but Apple refuses to play along so regulations are necessary.
They did follow it. The initial agreement was about chargers, not cables, and you can charge any iPhone off any usb charger. Now, we can discuss the spirit versus the letter, but they signed the agreement and followed it.
The sim/operator is irrelevant for emergency calls, and the motivation behind keeping 2G is better signal reach for emergency calls. So I guess even if you wouldn't be able to call your friends from the top of the mountain, you could successfully dial or sms to 112 (if there's a distant mast somewhere in sight with a signal to camp on).
Not sure how it is in the EU specifically but many new networks around the world do not have 2G (Jio in India is (in)famously 4G-only, Tele2 in Moscow is 3G+4G)
I don't understand the 'never gotten usb-C' part. Modern phones have more than enough space for two connectors. So usb-C next to a micro-B charging port is no problem.
After a while, almost all phone also have usb-C, most people like usb-C, so the industry can petition to replace micro-B with usb-C.
Are there any examples where the EU mandates legacy stuff that is no longer useful, but still has to be kept anyway?
Ports actually do take up valuable real estate inside a phone. There are downsides to making phones have two USB ports. More ports on the bottom means less space for the second speaker and microphone, and makes waterproofing more difficult. I don't think any manufacturer would actually do it outside devices designed for special use cases.
Is that really better though? Phones would have to be manufactured with an unused port - and if you want to use all the functionality you’d need to buy another cable (yet more e-waste)
Not that I have ‘the answer’ just that it’s a hard problem.
I quickly glanced at a couple of the feedback documents they've got so far, and they seem to echo your concerns. We'll see if the parliament makes any changes.
On a slightly different angle, my frustration is that it's not done on a general standards or outcome based requirement. For example rather than dictating a specific thing or even standard like micro-USB, simply require, e.g., that 90% of all power cables must comply with an industry self-organized standard within 3 years of the final release and, e.g., that the largest firms must subsidize the compliance by the smallest firms in order to prevent gaming the system to drive the small companies out of business.
There is a rather significant and major issue that this change highlights; essentially all our politicians and bureaucrats see themselves as smart and wise enough to be central planners and masters of the universe … when the truth could not be farther from it.
That is a really, really obvious problem, so why do you think you are the first person on the planet who ever thought of it? And that nobody addressed it?
> But forcing everyone to use it until the end of time is ridiculous.
Correct, it is ridiculous you think anyone did that.
> Imagine if they had done this a few years ago, and the micro-B connector was mandated. We would never have gotten usb-C.
What makes you believe it's until the end of time? They did do it with micro USB also. From what I can see the mandate changes with the times, so if everything evolves I would assume that they'll update their requirements.
The EU has neither the authority nor the competency to lay out such identity frameworks and I would say they would decrease security in any case. This is again about surveillance and attempts to get control on information.
HTTPS basic auth is secure and should always be an option. There, perfect interop.
There is not enough trust and political currency to accept such measures in my opinion. Formalized ID systems seem to net more attack vectors than what we currently have.
It's ultimately my decision which certificates I will trust. I can choose to trust just one certificate, and ignore the Mozilla root store, or I can use Mozilla's root store, and modify it. These are my decisions, not Mozzilla's.
So this proposed regulation mandates that my browser must support QWAC, and include TSP roots? Does that mean that browsers MUST deprive me of the ability to control my root store? Would I be in violation if I modified my (open-source) browser so that it was no longer in compliance?
Supposing I published my patch on a website outside the EU (e.g. in the UK)?
To be clear, I don't want a root cert from any entity that is effectively controlled by a government, to be trusted by my browser. Some governments bother me more than others, (for example) a Turkish government-controlled CA was caught forging certificates. There's still a Turkish CA in there, I see; Debian have seen fit to remove it.
It's all fine, the sky won't fall. As long as I can still decide who I trust.
This is all the initial recommendations says about browsers and certificates, there is nothing about preventing browsers from allowing the users to configure this, just to have them support it (and most of this is already supported by browsers, this is mostly just a recommendation to force all browsers to implement site security):
> To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty.
Edit: It also limits this to larger web browser providers in another part and only after 5 years. So people are free to run their own forks of browsers, so I doubt that it will be forbidden for browsers to just have a setting for specific sets of certs.
"It is just this" is something we hear very often when it is about user surveillance.
And then mandate sites use it for any age restricted content? Comes a year later. And everything against a backdrop that some EU members want encryption backdoors. Meanwhile we have safe e-commerce for years. No, thank you.
The use cases for digital identity are almost all pernicious. Sure, you can use it for nice things like public services, except we do that today quite expansively without one, and why do we need biometric level proofs for that?
A government digital identity means that every informal transaction in the economy that uses it relies on the state as an inline broker. We can see this today with vax passports, where just this month you have to check-in with the government before you can enter a restaurant. (only temporary, surely) It's designed to manage people like livestock, and we all know that some pigs are more equal than others. Even vax passports and so-called "mandates," have exploited loopholes in our high trust societies and assumed formlessness as to avoid being challenged legally. Digital identity regimes will use the same indirect methods. This is their strategy.
Why do you need to prove your identity unless you there is some intent to prosecute you? Most of the value in the economy is based on people taking on transaction risk on behalf of others, so replacing it with digital identity will destroy degrees of economic freedom and opportunity for your kids and grandkids. Identity does not create opportunity, it limits it.
Civilization doesn't survive malicious institutions that turn inward against the people they serve, and I hope other technologists think seriously about identity and consider the consequences of it falling into the hands of an enemy or evil institution, because having worked in identity, I guarantee it will.
> Why do you need to prove your identity unless you there is some intent to prosecute you? Most of the value in the economy is based on people taking on transaction risk on behalf of others, so replacing it with digital identity will destroy degrees of economic freedom and opportunity for your kids and grandkids. Identity does not create opportunity, it limits it.
I don't understand this argument at all. In what way does the economy require that people take on risks of identity theft when they trade with each other? I don't see a single instance of trade being limited even if all transactions were between established identities.
There are other issues of tight tracking of course, but I don't see this one.
With the rise of the internet I now consider my identity to be valuable. So I don't give it away for free.
I personally don't want my identity checked unless I'm asking someone to trust me. And I'd rather use a trust-minimizing system before going there. You don't need your id checked when going to the restaurant or the theater. You need to check someone's id when they take your money and promise you something in return (and even then, there may be a better way).
> I don't see a single instance of trade being limited even if all transactions were between established identities.
Do you buy something if you need to send a copy of your id? Do you use a website if it requires Facebook connect?
The issues of tight tracking you mention would be amplified by widespread use of id checks so I think it's essential not to do them often.
If your bank wants to stop you from making a transaction they can do so today as well, not sure how this would change anything. The big difference is that now you could verify the other parties identity before the transaction instead of just your bank doing it.
I can see an objection to erasure of cash, but not these identities.
1. Local biometric auth, with no metrics shared outside the local context, for convenience in authentication. This would be FaceID/TouchID/Windows Hello sorts of functions
2. Remote biometric auth to prevent certain types of 'friendly' impersonation, such as using a family member's identity for an age or background or credit check. This is say comparing a live camera capture against a previous photo.
You see #2 a lot in identity proofing, e.g. I presented an official document and it is legitimate, but how do they know it's actually the right person vs someone who did some lucky dumpster diving?
For digital identity credential systems which represent those documents, you have both cryptographic document verification and typically have a form of authentication by proof-of-possession of some key, but often people still feel the need for a remote biometric check. The reality is that they should be basing that on an actual need.
My point is there is no actual need, and all needs are contrived by policy for policy's sake, usually caused by security nerds (my people) whose rationale is identity because identity, and then we index on geeking out on writing security protocols without product use cases for the people subject to it.
The real problems in identity proofing are things like task delegation, substitute decision makers in elder care, parents doing things on behalf of their kids and kids asserting their parents permission, federation of user attributes with privacy, etc. These aren't difficult technical problems, except you need some way to transfer risk and accountability, which is an absolute quagmire. Universal digital identity (because let's face it, that's what it necessarily is) approaches these problems with a necessary component of a solution, but that's not what it's mainly going to be used for.
Maybe this yields a thought experiment where let's say I write an app for parents and kids where kids can use it to show they have their parents permission to be in a park after dark, walk to school by themselves, participation in a class trip, travel by themselves on a train or plane, get consent for emergency medical procedures, etc. Then that kid grows up and it switches from their parents to being a drivers license, age of majority card, school graduation certificates, their last STD test, list of employers and past salaries, speeding tickets, criminal records, lowest rated tweets, sexual partners etc. Sounds like it could be a real product right? Except that kid never wanted the stupid app that monitors them, the hovering parents who imposed it on them just use them as a source of narcisistic supply, and then their entire life is one of being subject to some proxy for these helicopter parents. The app is capitivity, or more accurately, entry into a panopticon that deprives them of their basic humanity. This is why digital identity is a terrible idea in pretty much every version I've seen so far. It's not chosen, it's imposed, and that's not a product, that's a mandate laundered through tech.
The one application I would see is that government would be in control of biometric information. Today a lot of people share such markers with companies. But many also do not do that and they should also not be forced to do the same with government. That the EU enforced biometric passports without any benefit is bad enough.
You make a good point. In a state of pandemic, the population IS in some sense similar to livestock, bodies to be managed, since the virus has weaponized our bodies. Wouldn't you say?
The common method to deal with avian influenza is killing all the livestock when one case is detected. Your comparison is scary and uncanny, but well aligned with how violent the pandemic has been handled by various governments.
Overall I like yuval noah harrari's point about our systems, that liberal democracies and free market are based on the assumption that we have rational individuals making decisions in their self-interest. Which is not true at all, in today's day and age where misinformation and propaganda run rampant. You cannot rely on individual judgement to get us out of a pandemic. Same can be stated about climate change. I would say it's more alarming with climate change, since the consequences of our actions are stretched out in the far future (atleast when compared to covid). How the heck are we going to get people/companies/govt to get in line with what's needed for the survival of our species?
A proper online identity framework is long due though. Maybe this is not the proper one but sending copies of my passport, electricity bills and lately selfie recordings as well to "prove my identity" doesn't seem right either.
Governments though can do that through their own passive demand. Ie., they can issue proper smartcards/tokens for citizens to identify themselves with, and then say that those can (and eventually must) be used for electronic interactions with the government itself (taxes being a big one but they'd easily be useful for a range of stuff). Follow/improve open standards. With something good, open and convenient private usage will naturally follow. Government can also by definition get involved with the issue of legal liability and fix BS like "identity theft" by shifting liability for businesses who do not meet good authentication standards. Doing it that way also creates room for fixing serious issues in practice before a natural rollout, as it starts by the government dogfooding its own standard. And if a lot of sites demand it, browsers will respond absent overwhelming reason not to, which itself is a good form of pressure to get said overwhelming reasons fixed.
I'm very doubtful though that trying to just directly legislate how software universally works though bypassing process is a good idea. Massive room for abuse as well.
Having a standard for Identity Management seems reasonable. Mandating that such a state-regulated identity be used for all on-line data passing on the internet seems like a nightmare waiting to happen.
That may not be the step in between "collect underpants" and "profit" but it feels like it's coming. In the U.S., I'm sure something like this will be sold in the clothing of think-of-the-children.
> Mandating that such a state-regulated identity be used for all on-line data passing on the internet seems like a nightmare waiting to happen.
They didn't mandate that though, the proposal was that it should be possible to use it, not that everyone should be forced to use it. You would still be able to log in using other means.
Basically, facebook would be required to provide you with the option to use e-id to log in. But you could still log in with other means. It just gives you more freedom.
Please, we know how that works. Youtube age filter? Will be mandated for anything controversial as soon as such a system is in place to protect the children. Meanwhile we spend trillions on e-commerce. There is crime, but nothing that warrants such an ID scheme.
When this becomes widespread then you can expect to have to authenticate this way everywhere. Want to make a Twitter account? Please authenticate with your government ID. Facebook? Of course. Video games? You bet.
South Korea already has these retirements for (some of) their video games.
The draft revisions actually propose such authentication to be mandatory to implement for service providers if their users would like to use it.
That is, it specifically targets websites (particularly Very Large Online Platforms) that they MUST accept such ID in lieu of an email or password, at the user’s request. This was part of the original motivation for the revisions, to target “Sign in with Facebook” or “Sign in with Google” and require such sites also offer a “Login with EU” option.
So $VLOP is compelled to accept QWAC user-certificates, if one user requests it? And QWAC user-certificates are issued by TSPs whose CA cert must appear in the root-store unconditionally?
That means there is nothing preventing $TSP from forging my certificate, and giving it to criminals/government-agents, and nothing to keep the TSP in line, because the single audit constraint is "Keep the Minister satisfied".
I personally don't have a problem with the idea of replacing passwords with user-certs, provided I get to generate my own cert with my own private key. But the evidence is that general users can't learn how to use certificates.
I hate passwords, but I'd rather use passwords than a user-cert issued by an unreliable CA.
The "unreliable CA" you are talking about here happens to be banks and similar. Do you trust that your bank doesn't just steal your money? Yes, you basically can't function in modern society if you don't. These e-id's just piggybacks on that trust to also work on online sign-ins. Most people worry more about their bank account being compromised than their github, so if these CA's (ie banks) starts to abuse their position we would have way bigger troubles than someone stealing your github accounts.
I see, QWACs are to be issued by banks. And websites are required to trust them.
So if the bank gets hacked, then presumably the EU will indemnify the relying website against any legal action for trusting an unreliable CA? Even if that website is in China/Russia/Belarus?
You seem to have read the proposed regulation, Jensson; the information you've given is not in the position paper. Any chance of a summary?
The QWACs can be issued by anyone who meets the minimum requirements, which are substantially less than those required for TLS server CAs in browsers. So while it’s true that banks can issue these, in practice there are many small companies with fewer than a thousand or so certs out there which have the same requirement that they must be accepted.
The eID certificates do come with probative (legal) effect, but this is where it gets complicated.
If the CA is hacked or screws up, yes, the CA is liable. But only if you did everything you were supposed to, such as checking every element of the certificate. These certificates have a variety of fields, such as “liability only up to XX euros”, and you (the site or user) are liable if you use it for more than that.
PSD2 has shown that the standards are a nightmare to fully implement. https://wso2.com/blogs/thesource/all-you-need-to-know-about-... gives a useful overview of how it’s worked for PSD2, and the new Digital Identity Framework/eIDAS Revisions proposes to make that the approach the standard everywhere.
In practice, this means that the server accepting your certificate needs to implement all of this correctly (spoiler: they don’t), or they bear the liability if the CA gets hacked - and they can’t distrust that CA. It also means the CA potentially learns every site you visit, because the sites have to check with the CA (if using OCSP).
Of course, if the government themselves directed the CA to misissue - e.g. at the direction of law enforcement - no such liability would be presumed, because it was a presumably lawful issuance.
I've worked on identity infrastructure in an EU country, I know a lot of details how it works, the EU proposal is just an extension and merger of the local ones. I can just explain how the local ones works, I don't know the exact details of the EU proposal as I no longer work in that industry.
I'm saying it'll go even further than that though. If you want to use the service you will have to authenticate through this method. This is pretty much as perfect as it gets for any company trying to vacuum up data, because they will be able to uniquely identify every user. It's effectively the end of privacy by obfuscation, because you will have to identify yourself.
Yes, the current regulation is targeted at government sites authenticating citizens, but the goal with these revisions is to require VLOPs to support this, along with allowing them the ability to require this for all websites. The original roadmap called out by the European Agency for Cybersecurity (ENISA) suggests a long-term goal of making this mandatory, effectively reviving the idea of the “Internet drivers license” (for users) and “Authorized domestic website” (for servers).
They can already do that though, nothing is stopping them from adding this to their sites right now. EU already has e-id for people and companies can use that if they want.
Yeah, and I never get asked by US companies to prove my identity with my credit card for adult content (which includes music videos from Laibach?!?!)... yawn ... typical US hysteria about IDs, but commercial exploitation is all fine and dandy.
We spend trillions on e-commerce with "normal" user accounts that worked just fine. Some cases of thefts and other crimes that doesn't warrant any action in my opinion. Meanwhile we have a huge problem with governmental surveillance, which is a worse crime than theft depending on how you grade it.
I guess that depends what you expect from society and government.
Do you expect that everything runs like an extremely powerful well oiled machine, where 100% interoperability likely means complete surveillance? A seemingly technocratic dystopian reality where every impulse is quantified and catalogued? I think its naive to believe that governments don't want more money, power and control over its citizens and government likely will be extracting more with every optimization the system makes.
Or would you rather an extremely powerful machine that is disjointed, highly flawed and laden with inconvenience in-so-that society doesn't really know who you are? Where the individual has more freedom and liberty, but as a result there is more crime and less "safety". A world where powerful anti-social forces are at play, such as disinformation campaigns, polarization of discourse, fringe movements and revolution.
The commonality is they are both driven by technology. We have built an extremely powerful machine and that has introduced enormous complexity into our society.
This complexity equates to entropy and either we pull it together with draconian government policy, or the system unravels.
Question: how will the free/liberal society (plagued by polarization, etc) fare against the dystopian ones?
In the past we've been able to out-innovate and maintain moral leadership thru a fictional aspiration to democratic norms. Now state actors can run finely targeted propaganda campaigns and measure our engagement with them in real time while using extensive censorship measures to prevent us from doing the same to their populations.
None of this invalidates your point, but the tables have been tilted and abstract discussions of freedom tend to avoid wrestling with the geopolitical ramifications.
For citizens who want efficient, effective access to services that require identity. The need for identity isn’t going away, and a poor implementation doesn’t guard against overreach.
The EU is already doing that through eIDAS. It's basically a federated login system for government services that works (or at least, should already be working) across governments.
The implementation is not that different from the "log in with Google/Facebook/Twitter/MySpace/Apple" buttons on many websites, though the login procedure is a bit more involved because of the sensitivity of the data.
> For citizens who want efficient, effective access to services that require identity.
There are some citizens who want this. Not all.
> a poor implementation doesn’t guard against overreach.
A good implementation enables overreach as in, "Please confiscate everything belonging to John Q. Public." An effective identity enables government overreach.
My identity is just fine, but thanks for your concern :)
I can walk into my local bank branch and ask to either pay in or withdraw money and they don't ask for any kind of ID(!), or my account number, becuase they actually know me :) They even tend to say "Hello $firstname" when I walk in, even if I only called in to use the ATM.
Amazing how good ol'fashioned _offline_ identity can actually be secure.
Try walking into my local branch with faked ID of me and attempting to withdraw funds from my account.
Why would someone try your local branch instead of any one of their 200 convenient nation-wide locations that all have access to your money and don’t know what you look like?
Personal trust as a foundation for identity became an untenable option as soon as the modern age arrived and our world expanded beyond our immediate geographic area.
Eventually every system boils down to personal trust, from the doctor that certifies you were born, to the person looking at the computer screen in a licensing office who is deciding if she is going to issue the license. There is no escaping this.
Identify theft happens because you have weak online identity protections. Strong e-id systems as can be found in many parts of Europe almost completely fixes that. Where I live nobody is afraid of identity theft since you can't do anything just because you know someone's names, addresses or numbers.
Suppose I have my personal QWAC installed in my browser. Does this mean that I won't be able to visit $BIGSITE without authenticating and logging-in?
That wouldn't make things more efficient - it would create friction, because I'd have to switch browsers if I wanted to visit a site that I didn't want to authenticate to; or do some settings fandango to disable QWAC before clicking a link.
In Poland you can do a lot of things digitally by authenticating on governments sites with your Bank (Imagine "Continue with your bank" instead of "Continue with Google" or "Continue with Facebook"). It's nice because bank already verified my identity when I was creating a bank account. I did not have to scan&send anything, go verify in some office etc. and I was able to do multiple things: change how my company is taxed, register for COVID vaccination, government census.
> A proper online identity framework is long due though [..]
You're entitled to your opinion but for me, it's a firm "No, thanks".
I feel considerably more comfortable* carrying a paper document which proves my vaccination/negative test than I do using any kind of government-approved app on my phone.
You should be comfortable with carrying and using a document certifying a test result, but not with a document proving vaccination. The first is reasonable to due to its obvious utility in infection control, the second is not; it is now become a tool for sowing division and hatred in society.
If you care about limiting infections, get tested.
If you care about freedom, reject government certificates.
looks like you haven't lived in 5 European countries and have to interact with all of them for things like taxes, pensions, vehicles registrations, and with mobile phones numbers that change, 2FAs that go crazy, passwords that expire etc. etc.
Yes, a common electronic ID is an absolute godsend. Can't wait for it to be implemented on every fricking public administration website.
The proposed regulation requires that QWACs MUST be accepted and recognized as such, such as using the European List of Trusted Lists as part of the root store.
That is, if a QWAC is issued by a CA that is not part of the browser root store, it must not be rejected (as any other untrusted certificate would be).
Perhaps I'm out of the loop, but the EU attempting to make it illegal to distribute web browsers that don't include certain features is unexpected (and deeply worrying) to me.
The position paper linked in the article above says:
> This is because through Article 45.2, the legislative proposal, in effect, mandates that browsers automatically include Trust Service Providers (TSPs) in their browser root programs.
I haven't read the law in question but I would take "mandates" to imply that doing the opposite is somehow prohibited by the proposed law.
But all large browsers happens to be American. It makes sense that EU wants to regulate this rather than hand over all decisions related to trust to USA.
For example, imagine if all big browsers everyone uses where made in China, and mostly just trusted Chinese CA. Do you think that would be a problem? Do you think the rest of the world would just let that happen instead of starting to regulate it? That is the situation EU faces right now with American browsers.
I never asked EU to do this for me, and don't want it. No government should have this power. Who did? I don't remember a single party having this in their program.
If you don't like it then you can ask your country representatives to block it for your country, EU doesn't have the power to enforce anything locally. And if all of EU doesn't like it then you can vote out the people who did it and they will give new recommendations next cycle.
EU is safe in that way since the people making the legally binding laws to enforce them aren't the same people making the EU laws, so everything has to go through at least two levels of elected representatives to actually take effect. This means that if EU wants to spy on you then your country can block it, and if your country wants to spy via this system on you then they have to get approval from EU at least. Either way EU is an improvement over just having your local representatives.
Wrong since at least 2009. The EU has the right to force regulations and directives - if the country doesn't implement EU law correctly, the EU can sue the state, stop the flow of donations and place sanctions...
Why should the EU? Mozilla doesn't decide that, it gives you the option while suggesting a standard to make surfing the web feasible, but you can revoke that trust at any time. The EU wants to change that.
I think the Browsers should swing the axe the other direction. Indicate the website is broken when EV certificates are present. Also, indicate all websites are broken if/or when the Root-CA-trust ever be forcefully extended to include EV CA authorities, in particular state backed authorities.
I'm not sure about the EU, but forcing browsers green-light weak security is a violation of the USA's 1st amendment freedom of speech. Regrettably I would not be surprised if EU took a more authoritarian stance.
The cancer label warnings in California aren't violating any free speech, this is the same thing so it wouldn't violate it. All the browsers would say is "The European Union has verified the identity of this site owner" or something similar.
>"The cancer label warnings in California aren't violating any free speech"
That's because it's commercial speech [0] attached to a sale of a product, which gets a reduced level of protection. I'm don't think that you could, in the US, compel non-commercial software to express messages like "We trust this CA". Mozilla has a 1st amendment right to not trust to CA's, and to tell their users why they don't trust the CA; to boycott a CA; to implement this in code and ship it.
> Mozilla has a 1st amendment right to not trust to CA's, and to tell their users why they don't trust the CA; to boycott a CA; to implement this in code and ship it.
Nothing so far says that Mozilla can't tell its users that EU trusts this but Mozilla doesn't. However it is clear that it is intended to force Mozilla to at least gives the user the choice to trust EU on this.
The part where they're forced to provide the EU's alternative version is still compelled speech.
The decision of trusting or not trusting a CA has an expressive character; it's not pure machine math. Some of the decisions are political speech, even: "we don't like the policies of country X, therefore we'll boycott their root certificate". (Roughly characterized)
I feel there is a big difference between a mandated warning label (California cancer labels), Vs a mandated endorsement like forcing browses to say that unsecure connection is secure.
Sure there is a big difference, but not from the perspective of free speech. Both cases forces you to display a label even if you don't want to show it to people. It is understood that the label isn't your speech, hence it doesn't limit your free speech rights.
You might object to this for other reasons, but free speech isn't a good reason.
It appears to be more of a UI issue where the legal entity name is shown along side or sometimes in place of the URL which can be misleading.
To compound problems legal entity names are not required to be unique across states or countries so an EV certificate for a popular company name can be obtained in another geography and presented to the user on an attacker controlled domain.
> I'm not sure about the EU, but forcing browsers green-light weak security is a violation of the USA's 1st amendment freedom of speech. Regrettably I would not be surprised if EU took a more authoritarian stance.
Care to expand on this? I have a hard time making any sort of connection.
> In a nutshell, the revised Article 45 would force browsers to suspend the ‘root store’ policies that are essential for maintaining trust and security online. [..] At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs
Can someone explain where this 'force' comes from? I wasn't aware the EU had such authority to decide how programs on a users private computer must behave. Would e.g. making a fork of Firefox that does not comply with this digital identity framework be illegal? Or is this just hyperbole from Mozilla, and the browser would be merely non-compliant?
> I wasn't aware the EU had such authority to decide how programs on a users private computer must behave.
Why not? They publish directives that result in criminal law in member states all the time.
A directive is published, member states are obligated to turn that into domestic legislation, and yes, ultimately a state can criminalise lots of things if it wants to.
Key word "such". Prescribing which certificates I am obligated to trust is many many steps beyond e.g. banning DRM circumvention (which is itself a step too far IMO).
Well, the original document states that "Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1...". I'm not sure, however, what punishment, if any, is there for the browsers that don't comply with that regulation.
Not the browsers will be reprimanded. That would be webservices like Youtube that only allows browsers providing a certified ID to let users look at the more controversial cat pictures. It is an extremely transparent power grab.
> Would e.g. making a fork of Firefox that does not comply with this digital identity framework be illegal?
No, this only applies to medium to large companies shipping browsers and they only have to follow it after operating for 5 years. If you fork a browser and edit it then that is working as intended, and if you fork it and distribute binaries that is also ok since you aren't a medium big company. Possibly the company label refers to CA or site, but the 5 year window gives you plenty of time to refork every 5 years in the worst case, and this only apply if you operate as a browser provider so you can use it yourself forever.
"Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services"
The EU has exactly as much authority as we believe it to have, and as much as the member states are willing to enforce.
Those of us not within their bounds could just decide not to comply with their nonsense, and there isn't a great deal that they could actually do about it.
Instead we're letting Europe pull a California, to the detriment of the entire internet.
There is an argument why EV should be treated the same a DV I'm not buying that argument but for the moment let's accept it as true.
However, now Mozilla is arguing that EV is less secure than DV. That seems weird to me.
Currently, browsers have root certificates for lots of countries. I can imagine that for a country it becomes a huge problem if suddenly a major browser decides to reject certificates used by that country's government.
Of course, it would be nice if country certificates could be restricted to country specific resources. Maybe mozilla should push for that.
Not all European CAs meet browsers' root programs requirements. Forcing everyone to accept those certs weakens all root programs (Mozilla's, Microsoft's, etc).
There is also the concern that special indicators displayed with a certificate can mislead users. A scummy company with an EV cert isn't any more trustworthy than if they had a DV cert, but browsers want to be careful not to imply a fancy logo makes the site any safer.
> Not all European CAs meet browsers' root programs requirements.
That sounds like a huge problem, why should EU trust that USA handles trust certificates well? Of course they would want to regulate this instead of leaving that extremely large security hole open, letting USA alone decide what counts as secure or not is not in EU's interests.
I think it is a legitimate concern in both directions. Who should users trust more: Mozilla or their local government? Some countries have tried to use local PKI to spy on citizens. Mozilla has taken steps in the past to prevent abuse. On the other hand, can Mozilla accept an Iranian CA even if they can match the root program's requirements?
Amusingly, Mozilla rejected the US government's request to add the federal PKI to the root store.
Trust in government is typically a lot higher in EU than most other parts of the world, so you can't really compare. I know Americans often wants private companies to protect them from governments, but in EU people typically wants their government to protect them from private companies. I trust my government way more than I trust Mozilla, Google, Microsoft and Apple combined, it isn't even close.
Mozilla has identified issues with CAs that are part of eIDAS. The severity of these issues can be debated, but the nice part of Mozilla's root program is that these are publicly debated. For example, the community identified repeated issues with the CA Certinomis and after failures to improve they were distrusted. Is it a good thing that the EU says that doesn't matter and Certinomis certs must be trusted as part of eIDAS?
Mozilla argues in their paper that once governments in one part of the world start forcing browsers include root certificates, governments in other parts of the world will start doing the same shortly after. You might trust your government more, but you certainly wouldn't trust arbitrary governments more.
Furthermore, I have seen nothing wrong in mozilla's stewardship of the root certificate program in the decades it's been running, whereas mozilla points to deficiencies in the EU's certificate programs. This is to be expected since running a root store is not one of the EU's specialties. I would trust that government most that defers to private companies in areas where they lack expertise.
> Who should users trust more: Mozilla or their local government?
Is that really a question to be taken seriously? One is a private organization, completely unaccounted for and in a foreign jurisdiction, who sets their own rules and follows up on themselves.
The other is accountable and audited by independent auditors in a system which upholds separation of power and keeps independent media?
(Just to clarify: Neither Mozilla or anyone else should accept QWAC or any other standard in the face of legitimate concerns, of course. That's not what trust means.)
When it comes to international relations I would depend on (not exactly trust, but close enough) my government more than Mozilla. When it comes to browser implementation topics I trust Mozilla more than any government.
There is nothing intrinsic to any system of government that would make any of them good at solving technical issues on their own.
No one said they should. The EU should at least meet the same if not better standards. Instead they are trying to make an objectively less secure system.
Yes. It requires the EU Trustmark, a logo designed through a secondary-school competition, to be displayed with certain colors and sizing, as directed through Implementing Acts (which have the force of law, but decided at the Commission level).
I can't speak with authority, but my reading of PKI issues suggests Google is just as strict, while Microsoft and Apple are less strict. However, that just might be because MS and Apple are less public with their root programs.
One element that results in less security is that it becomes more difficult to replace.
For example, QWACs cannot legally be automated (e.g. via ACME), because of certain restrictions applied to needing to validate the natural or legal person making the certificate request. This actually was an issue for one CA (BuyPass) that tried to support ACME but ran afoul of the framework.
While originally QWACs were proposed as optional, regulation such as PSD2 attempts to make them mandatory for (financial services) servers to obtain. If one of those keys is compromised, then the server wishing you obtain a replacement certificate may have to wait weeks to obtain such a certificate, or make an in-person visit to the CA (e.g. the post office).
A considerable number of compromised or misissued certificates have failed to been revoked on the industry-agreed upon timelines (24 hours or 5 days, depending), because of challenges CAs have faced because their customers haven’t (or legally can’t) automate replacement, and because the additional information in the certificate requires manual validation, despite having no technical impact on the TLS connection.
Not being able to automatically renew certificates seems like a rather minor point in the bigger picture.
I get QWAC goes against the trend of phasing out EV certs. But isn’t the real issue that the browsers don’t trust TSP audits carried out for EU member states?
It’s actually a huge issue - look at how eliminating a key difficulty in obtaining certificates massively increased HTTPS adoption (via LetsEncrypt and others)
Similarly, automation affects how easy or hard it is to replace a CA, for example, if moving to distrust a CA. If you rely on QWAC attributes, you can only use QWAC CAs, and changing CAs becomes significantly more complex.
The audit issue is definitely an issue: the audits used are fundamentally different than what browsers try to achieve, and so having to adopt the lower standard definitely impacts user security. However, my point was that in addition to those concerns, the technical design itself results in less robust and less agile systems, and that makes things less secure.
Most browser vendors do business in the EU. And governments in general have a right to set standards for products and services.
In some sense, Firefox could be an exception, because Mozilla doesn't seem to do a lot of advertising in the EU.
It is not like Apple, Google, or Microsoft can say: we don't really care about the EU, we just remove the browser from products we distribute (directly or through third parties) in the EU.
They're not saying EVs or QWACs are themselves less secure than DV. Rather they are saying that they aren't more secure (because of difficulties interpreting them) and so leading users to place more trust in them can hurt the consumers.
QWACS are untrustworthy because they can be issued by a CA that is not publicly audited.
But the way I understand it, a QWAC is an identity certificate, issued to users, not to websites. AIUI, websites are to be compelled to accept such user-certs in lieu of a password. Well, I don't see what that has to do with the contents of the root store - that controls the website identities that my browser will accept, not the user-identity that the website accepts.
I read the position paper, but not the regulation. I'd like to see a better explanation of the regulation.
Is the draft of the revision available anywhere? I don't see a link anywhere in the position paper.
Article 45 in the current regulation[0] says nothing about browsers.
I am curious about the exact language that would force Firefox support the technology and include the TSPs in their root store.
This sort of thing is actually somewhere I think Mozilla can make a difference. As a major browser, they are listened to when they lobby standards bodies and political bodies about the web and internet security, and very often they are listened to.
I agree Firefox could be better, but time spent on effective lobbying which will help all browsers is well spent.
As someone from Europe I am thankful for any resistance to such plans and many laws implemented by the EU are written by foreign companies. Companies like central administrations, far easier to lobby against compared to citizens that must carry themselves through countless more or less democratic institutions.
EU laws are written by foreign actors, just look at the lobbying going on on DSA/DMA, those foreign corporations are writing laws against the interests of European companies and citizens.
>One of the most important ways in which browsers protect users is through website authentication. For instance, if a person wants to visit Europa.eu, the web browser must reliably ensure that the site is actually under control of the owner of the domain ‘Europa.eu’, and not an attacker on the network impersonating the European Commission’s domain.
A negative security example that comes readily to mind are how bad government policies/standards helped cement for a long time the awful practice of complex password requirements including rapid change requirements, "security questions" and so on. These are actively negative for security, people in the field realized pretty fast (and of course many argued from the start) that the only reqs for passwords should be some minimum length, not using previously exposed ones, and having a sufficiently high maximum length that everyone is free to use more comfortable ones like diceware if they wished. While that has been getting revised at last bureaucracy still moves much too slowly there.
Of course this hasn't made it through the gauntlet and hopefully won't, but I'm glad to see it getting some attention.