Well, yes? Part of the government issuing certificates for people is that those certificates shall be accepted as proof of identity, including in browsers. I'm not sure how else you'd like to do that. Maybe they issue certificates but nobody accepts them? No, that way is madness.
> and ban them from validating the security of the certs signed by those CAs.
I'm going to need a source on that one, chief. Are you talking about this part?
> To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty.
Maybe you are talking about this?
> For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner.
Frankly, displaying the fact that a government issued identity certificate is used seems to me to be the exact opposite of a MITM, but what do I know?
Where does it say that if google.com has Angela Merkel's personal certificate instead of Google's one, the browser shall present it as a secure connection?
I recommend reading the eff.org article linked above. It states: "Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government. Which CAs? Specifically the CAs that were appointed by the government, which in some cases will be owned or operated by that selfsame government." and: "The current text of Article 45 requires that browsers trust CAs appointed by governments, and prohibits browsers from enforcing any security requirements on those CAs beyond what is approved by ETSI. In other words, it sets an upper bar on how much security browsers can require of CAs" and: "This upper bar on security may even ban browsers from enforcing Certificate Transparency"
If you can't connect the dots and understand why people are upset, I can't help you.
> and ban them from validating the security of the certs signed by those CAs.
I'm going to need a source on that one, chief. Are you talking about this part?
> To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty.
Maybe you are talking about this?
> For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner.
Frankly, displaying the fact that a government issued identity certificate is used seems to me to be the exact opposite of a MITM, but what do I know?
Where does it say that if google.com has Angela Merkel's personal certificate instead of Google's one, the browser shall present it as a secure connection?