The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).
Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?
I’m curious why they want this instead of mTLS certificates? This smells like secret services counseled Europe using a front company. But that wouldn’t surprise me, since similar events happened multiple times in the past.
deleted by creator
The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).
Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?
[This comment has been deleted by an automated system]
I’m curious why they want this instead of mTLS certificates? This smells like secret services counseled Europe using a front company. But that wouldn’t surprise me, since similar events happened multiple times in the past.
[This comment has been deleted by an automated system]