[HN Gopher] Mozilla publishes position paper on the EU Digital I...
___________________________________________________________________
Mozilla publishes position paper on the EU Digital Identity
Framework
Author : xoa
Score : 200 points
Date : 2021-11-17 15:02 UTC (7 hours ago)
(HTM) web link (blog.mozilla.org)
(TXT) w3m dump (blog.mozilla.org)
| chuckee wrote:
| > In a nutshell, the revised Article 45 would _force_ browsers to
| suspend the 'root store' policies that are essential for
| maintaining trust and security online. [..] At the same time, the
| types of website certificates that browsers would be _forced_ to
| accept, namely QWACs
|
| Can someone explain where this 'force' comes from? I wasn't aware
| the EU had such authority to decide how programs on a users
| private computer must behave. Would e.g. making a fork of Firefox
| that does not comply with this digital identity framework be
| _illegal_? Or is this just hyperbole from Mozilla, and the
| browser would be merely non-compliant?
| keddad wrote:
| Well, the original document states that "Web-browsers shall
| ensure support and interoperability with qualified certificates
| for website authentication referred to in paragraph 1...". I'm
| not sure, however, what punishment, if any, is there for the
| browsers that don't comply with that regulation.
| Jensson wrote:
| > Would e.g. making a fork of Firefox that does not comply with
| this digital identity framework be illegal?
|
| No, this only applies to medium to large companies shipping
| browsers and they only have to follow it after operating for 5
| years. If you fork a browser and edit it then that is working
| as intended, and if you fork it and distribute binaries that is
| also ok since you aren't a medium big company. Possibly the
| company label refers to CA or site, but the 5 year window gives
| you plenty of time to refork every 5 years in the worst case,
| and this only apply if you operate as a browser provider so you
| can use it yourself forever.
|
| "Web-browsers shall ensure support and interoperability with
| qualified certificates for website authentication referred to
| in paragraph 1, with the exception of enterprises, considered
| to be microenterprises and small enterprises in accordance with
| Commission Recommendation 2003/361/EC in the first 5 years of
| operating as providers of web-browsing services"
| thrower123 wrote:
| The EU has exactly as much authority as we believe it to have,
| and as much as the member states are willing to enforce.
|
| Those of us not within their bounds could just decide not to
| comply with their nonsense, and there isn't a great deal that
| they could actually do about it.
|
| Instead we're letting Europe pull a California, to the
| detriment of the entire internet.
| Mindwipe wrote:
| > I wasn't aware the EU had such authority to decide how
| programs on a users private computer must behave.
|
| Why not? They publish directives that result in criminal law in
| member states all the time.
|
| A directive is published, member states are obligated to turn
| that into domestic legislation, and yes, ultimately a state can
| criminalise lots of things if it wants to.
| chuckee wrote:
| > such authority
|
| Key word "such". Prescribing which certificates I am
| obligated to trust is many many steps beyond e.g. banning DRM
| circumvention (which is itself a step too far IMO).
| Jensson wrote:
| Likely it only applies to software you ship to users in EU,
| not software you use yourself even if you are in EU.
| xoa wrote:
| This did get posted a few weeks ago at the time it was written
| but didn't get much traction at that point, yet seems like a
| reasonably important issue. The EU has done worthy things for
| issues like privacy, but whatever pluses and minuses of
| regulating personal and business policy I'm a lot more dubious
| about government sticking its hand directly into how specific
| software (like browsers) functions. That seems like a serious
| step beyond merely trying to ensure there is competition and
| choice in different products, full disclosure about them, level
| playing fields etc. Dictating implementation details even for
| open source feels like something with much, much more scope for
| serious negative side effects getting baked in particularly in
| fields where best practices move fast.
|
| A negative security example that comes readily to mind are how
| bad government policies/standards helped cement for a long time
| the awful practice of complex password requirements including
| rapid change requirements, "security questions" and so on. These
| are actively negative for security, people in the field realized
| pretty fast (and of course many argued from the start) that the
| only reqs for passwords should be some minimum length, not using
| previously exposed ones, and having a sufficiently high _maximum_
| length that everyone is free to use more comfortable ones like
| diceware if they wished. While that has been getting revised at
| last bureaucracy still moves much too slowly there.
|
| Of course this hasn't made it through the gauntlet and hopefully
| won't, but I'm glad to see it getting some attention.
| dahfizz wrote:
| I feel similarly about the EU forcing companies to use usb-C as
| a charging port. I love usb-C, and it is basically a
| requirement for any electronic I buy. But forcing everyone to
| use it until the end of time is ridiculous. Imagine if they had
| done this a few years ago, and the micro-B connector was
| mandated. We would never have gotten usb-C.
| AnssiH wrote:
| For the record, the feedback period on the EU charging port
| directive proposal is still open until tomorrow:
| https://ec.europa.eu/info/law/better-regulation/have-your-
| sa...
|
| I quickly glanced at a couple of the feedback documents
| they've got so far, and they seem to echo your concerns.
| We'll see if the parliament makes any changes.
| input_sh wrote:
| > Imagine if they had done this a few years ago, and the
| micro-B connector was mandated. We would never have gotten
| usb-C.
|
| They did, you don't have to imagine it.
|
| In 2009 they've signed a memorandum of understanding with 14
| phone companies, which is why micro-B _was_ the standard
| before type C. Apple was within those that signed it, and
| used a loophole in the text to ship a lightning-to-micro-B
| adapter instead.
|
| Around 2016 they've realised micro-B was outdated and
| notified the signatories that they should switch to type C.
|
| https://www.macrumors.com/guide/eu-charging-standard-
| proposa...
| dahfizz wrote:
| A Memorandum of Understanding is a far cry from the
| legislation they are trying to push through. A MoU is not
| legally binding. From your link:
|
| > The recent 582-40 parliamentary vote in favor of a common
| charging standard came about because the European
| Commission's previous approach of merely "encouraging" tech
| companies to develop a standardized solution "fell short of
| the co-legislators' objectives," according to a briefing on
| the European Parliament website.
|
| The first phones with USB-C came out in 2015. If this MoU
| was instead binding legislation, those USB-C phones never
| would not have been allowed.
| input_sh wrote:
| Almost as if they've seen a shortcoming with signing just
| a memorandum of understanding and took it a step further
| this time around.
|
| > To address the challenges for consumers as well as the
| environment, the Commission has supported a common
| charging solution for mobile phones and similar
| electronic devices since 2009. The Commission first
| facilitated a voluntary agreement by the industry in 2009
| that resulted in the adoption of the first Memorandum of
| Understanding (MoU) and led to reducing the number of
| existing charging solutions for mobile phones on the
| market from 30 to 3. Following the Memorandum's
| expiration in 2014, a new proposal by industry presented
| in March 2018 was not considered satisfactory in
| delivering a common charging solution or meeting the need
| for improved consumer convenience and e-waste reduction.
|
| https://ec.europa.eu/commission/presscorner/detail/en/ip_
| 21_...
| dahfizz wrote:
| > Almost as if they've seen a shortcoming
|
| A shortcoming for _their_ goals. Their goals are at odds
| with what is best for us. It is a good thing the micro-b
| MoU did not have any teeth.
| barrkel wrote:
| Do you have so short a memory about all the proprietary
| connectors we needed to suffer before?
| input_sh wrote:
| I can't speak on behalf of anyone but myself, but when
| that goal is less e-waste, their goal sure does align
| with mine, even if it may take me 20 extra minutes to
| charge my devices when something better than type C comes
| around.
|
| If I can charge my laptop with it, it's surely good
| enough for charging devices with a much smaller battery
| at least for the next decade or so.
| admax88qqq wrote:
| Are chargers really a significant source of e-waste?
|
| E-waste is a direct consequence of technology progress.
| We're not still all using 486s. Technology advances,
| people want that new stuff.
|
| I would wager charging ports are insignificant.
| Ygg2 wrote:
| Hey on my Android, I'm happy to reuse my old chargers.
|
| It would be another thing if I was on Apple ecosystem.
| input_sh wrote:
| Two drawers full of useless USB cables next to me imply
| so, and that's next to having 6 chargers and cables
| pretty much everywhere you can sit in my apartment.
|
| But I wouldn't call it significant, I would call it
| completely unnecessary. I'd really rather buy one when I
| need it than get one with every single gadget I buy,
| which is precisely what the EU is trying to achieve.
| admax88qqq wrote:
| Oh I'd totally rather just buy one as well, but let's be
| honest this is a first world problem around convenience,
| it's not going to put any significant dent in the global
| e-waste problem.
| phicoh wrote:
| I don't understand the 'never gotten usb-C' part. Modern
| phones have more than enough space for two connectors. So
| usb-C next to a micro-B charging port is no problem.
|
| After a while, almost all phone also have usb-C, most people
| like usb-C, so the industry can petition to replace micro-B
| with usb-C.
|
| Are there any examples where the EU mandates legacy stuff
| that is no longer useful, but still has to be kept anyway?
| babypuncher wrote:
| Ports actually do take up valuable real estate inside a
| phone. There are downsides to making phones have two USB
| ports. More ports on the bottom means less space for the
| second speaker and microphone, and makes waterproofing more
| difficult. I don't think any manufacturer would actually do
| it outside devices designed for special use cases.
| alibarber wrote:
| Is that really better though? Phones would have to be
| manufactured with an unused port - and if you want to use
| all the functionality you'd need to buy another cable (yet
| more e-waste)
|
| Not that I have 'the answer' just that it's a hard problem.
| NotEvil wrote:
| You are missing that if micro-b was an "have to include"
| port. Usb-c whouldn't be created. There will be no
| incentive
| mariusor wrote:
| What makes you believe it's until the end of time? They did
| do it with micro USB also. From what I can see the mandate
| changes with the times, so if everything evolves I would
| assume that they'll update their requirements.
| frankfrankfrank wrote:
| On a slightly different angle, my frustration is that it's
| not done on a general standards or outcome based requirement.
| For example rather than dictating a specific thing or even
| standard like micro-USB, simply require, e.g., that 90% of
| all power cables must comply with an industry self-organized
| standard within 3 years of the final release and, e.g., that
| the largest firms must subsidize the compliance by the
| smallest firms in order to prevent gaming the system to drive
| the small companies out of business.
|
| There is a rather significant and major issue that this
| change highlights; essentially all our politicians and
| bureaucrats see themselves as smart and wise enough to be
| central planners and masters of the universe ... when the
| truth could not be farther from it.
| Jensson wrote:
| > Imagine if they had done this a few years ago, and the
| micro-B connector was mandated. We would never have gotten
| usb-C.
|
| But they didn't. These people aren't that dumb, they told
| companies to settle on a standard, and now that we have a
| good standard that basically everyone follows they want to
| make a law to ensure everybody follows it. Bringing up a
| scenario where they did the right thing and argue "just
| imagine if they didn't do the right thing here, that would be
| a problem!" isn't a strong argument.
| taxyz23 wrote:
| If basically everyone follows, then why require it and shut
| off or slow down future innovation? Regulations like this
| are nearly always obsolete by the time they are
| implemented.
| Jensson wrote:
| > If basically everyone follows, then why require it and
| shut off or slow down future innovation? Regulations like
| this are nearly always obsolete by the time they are
| implemented.
|
| Apple doesn't follow it. Also the reason companies
| settled was that EU threated them with regulations, if
| they didn't follow through when some companies (Apple)
| misbehaves it would mean that such threats would lose
| teeth and wont solve future problems. So if anything the
| problem here isn't EU, the reason that law is coming is
| Apple. Best possible scenario is that companies
| dynamically create new standards and fall inline, but
| Apple refuses to play along so regulations are necessary.
| jollybean wrote:
| USB-C is at least to some extent about standardization.
|
| It's a less complicated issue, while nuanced, I think most of
| the details are manageable by a willing political actor.
|
| It's also a known quantity.
|
| This MOZ paper deals with much more complicated things.
|
| I'm wary of involvement, I wonder if there are industry-led
| solutions that could be supported.
|
| If MSFT, G, FB, AMZN could agree on something with the
| blessing of the EU and indirectly the US, I wonder if would
| happen very quickly.
| bjelkeman-again wrote:
| EU mandated GSM, which was a success, but we aren't stuck
| with it still.
| dahfizz wrote:
| We aren't stuck with _just_ gsm, but all phones still have
| to carry support for 2g.
|
| The analogous scenario is a phone with 2 charging ports.
| The legacy usb-c alongside the newer port you would
| actually want/use.
| logifail wrote:
| > [..] but all phones still have to carry support for 2g.
|
| Q: Do network operators/SIM card (re)sellers still have
| to support 2G, or just the phone manufacturers?
| floatboth wrote:
| Not sure how it is in the EU specifically but many new
| networks around the world do not have 2G (Jio in India is
| (in)famously 4G-only, Tele2 in Moscow is 3G+4G)
| soco wrote:
| The sim/operator is irrelevant for emergency calls, and
| the motivation behind keeping 2G is better signal reach
| for emergency calls. So I guess even if you wouldn't be
| able to call your friends from the top of the mountain,
| you could successfully dial or sms to 112 (if there's a
| distant mast somewhere in sight with a signal to camp
| on).
| soco wrote:
| GSM aka 2G is kept as fallback for dumb terminals - it's
| rather 3G which was (is) sunsetted. I think keeping it is
| actually a sensible decision.
| motohagiography wrote:
| The use cases for digital identity are almost all pernicious.
| Sure, you can use it for nice things like public services, except
| we do that today quite expansively without one, and why do we
| need biometric level proofs for that?
|
| A government digital identity means that every informal
| transaction in the economy that uses it relies on the state as an
| inline broker. We can see this today with vax passports, where
| just this month you have to check-in with the government before
| you can enter a restaurant. (only temporary, surely) It's
| designed to manage people like livestock, and we all know that
| some pigs are more equal than others. Even vax passports and so-
| called "mandates," have exploited loopholes in our high trust
| societies and assumed formlessness as to avoid being challenged
| legally. Digital identity regimes will use the same indirect
| methods. This is their strategy.
|
| Why do you need to _prove_ your identity unless you there is some
| intent to prosecute you? Most of the value in the economy is
| based on people taking on transaction risk on behalf of others,
| so replacing it with digital identity will destroy degrees of
| economic freedom and opportunity for your kids and grandkids.
| Identity does not create opportunity, it limits it.
|
| Civilization doesn't survive malicious institutions that turn
| inward against the people they serve, and I hope other
| technologists think seriously about identity and consider the
| consequences of it falling into the hands of an enemy or evil
| institution, because having worked in identity, I guarantee it
| will.
| Jensson wrote:
| > Why do you need to prove your identity unless you there is
| some intent to prosecute you? Most of the value in the economy
| is based on people taking on transaction risk on behalf of
| others, so replacing it with digital identity will destroy
| degrees of economic freedom and opportunity for your kids and
| grandkids. Identity does not create opportunity, it limits it.
|
| I don't understand this argument at all. In what way does the
| economy require that people take on risks of identity theft
| when they trade with each other? I don't see a single instance
| of trade being limited even if all transactions were between
| established identities.
|
| There are other issues of tight tracking of course, but I don't
| see this one.
| dabbledash wrote:
| Unless the entity that vouches for the identity or oversees
| transactions wanted to limit the ability of some disfavored
| participants, for some reason.
| Jensson wrote:
| If your bank wants to stop you from making a transaction
| they can do so today as well, not sure how this would
| change anything. The big difference is that now you could
| verify the other parties identity before the transaction
| instead of just your bank doing it.
|
| I can see an objection to erasure of cash, but not these
| identities.
| throwaway41597 wrote:
| With the rise of the internet I now consider my identity to
| be valuable. So I don't give it away for free.
|
| I personally don't want my identity checked unless I'm asking
| someone to trust me. And I'd rather use a trust-minimizing
| system before going there. You don't need your id checked
| when going to the restaurant or the theater. You need to
| check someone's id when they take your money and promise you
| something in return (and even then, there may be a better
| way).
|
| > I don't see a single instance of trade being limited even
| if all transactions were between established identities.
|
| Do you buy something if you need to send a copy of your id?
| Do you use a website if it requires Facebook connect?
|
| The issues of tight tracking you mention would be amplified
| by widespread use of id checks so I think it's essential not
| to do them often.
| the_greyd wrote:
| You make a good point. In a state of pandemic, the population
| IS in some sense similar to livestock, bodies to be managed,
| since the virus has weaponized our bodies. Wouldn't you say?
| tasogare wrote:
| The common method to deal with avian influenza is killing all
| the livestock when one case is detected. Your comparison is
| scary and uncanny, but well aligned with how violent the
| pandemic has been handled by various governments.
| Shadonototra wrote:
| Why is it ok for an american company to collude with foreign
| politics?
|
| Can't they focus on their broken system first?
| zoobab wrote:
| EU laws are written by foreign actors, just look at the
| lobbying going on on DSA/DMA, those foreign corporations are
| writing laws against the interests of European companies and
| citizens.
| muricula wrote:
| This sort of thing is actually somewhere I think Mozilla can
| make a difference. As a major browser, they are listened to
| when they lobby standards bodies and political bodies about the
| web and internet security, and very often they are listened to.
|
| I agree Firefox could be better, but time spent on effective
| lobbying which will help all browsers is well spent.
| [deleted]
| theplumber wrote:
| Anyone knows how this relates to webauthn and why they need a new
| way of doing online authentication?
| parasense wrote:
| I think the Browsers should swing the axe the other direction.
| Indicate the website is broken when EV certificates are present.
| Also, indicate all websites are broken if/or when the Root-CA-
| trust ever be forcefully extended to include EV CA authorities,
| in particular state backed authorities.
|
| I'm not sure about the EU, but forcing browsers green-light weak
| security is a violation of the USA's 1st amendment freedom of
| speech. Regrettably I would not be surprised if EU took a more
| authoritarian stance.
| pantulis wrote:
| "forcing browsers green-light weak security is a violation of
| the USA's 1st amendment freedom of speech."
|
| I understand the issues mentioned in passing scammy actors as
| legitimate but, in which way your rights to speech would be
| vulnerated?
| [deleted]
| vhold wrote:
| It would be compelled speech if the law required the browsers
| to say that a connection is secure when its creators don't
| want it to.
|
| https://en.wikipedia.org/wiki/Compelled_speech
|
| Whether or not it would violate the 1st amendment would be up
| to the courts to decide.
| Jensson wrote:
| The cancer label warnings in California aren't violating
| any free speech, this is the same thing so it wouldn't
| violate it. All the browsers would say is "The European
| Union has verified the identity of this site owner" or
| something similar.
| perihelions wrote:
| > _" The cancer label warnings in California aren't
| violating any free speech"_
|
| That's because it's commercial speech [0] attached to a
| sale of a product, which gets a reduced level of
| protection. I'm don't think that you could, in the US,
| compel non-commercial software to express messages like
| _" We trust this CA"_. Mozilla has a 1st amendment right
| to not trust to CA's, and to tell their users why they
| don't trust the CA; to boycott a CA; to implement this in
| code and ship it.
|
| [0]
| https://crsreports.congress.gov/product/pdf/IF/IF11072 (
| _" The First Amendment: Categories of Speech"_)
| Jensson wrote:
| > Mozilla has a 1st amendment right to not trust to CA's,
| and to tell their users why they don't trust the CA; to
| boycott a CA; to implement this in code and ship it.
|
| Nothing so far says that Mozilla can't tell its users
| that EU trusts this but Mozilla doesn't. However it is
| clear that it is intended to force Mozilla to at least
| gives the user the choice to trust EU on this.
| perihelions wrote:
| The part where they're forced to provide the EU's
| alternative version is still compelled speech.
|
| The decision of trusting or not trusting a CA has an
| expressive character; it's not pure machine math. Some of
| the decisions are political speech, even: "we don't like
| the policies of country X, therefore we'll boycott their
| root certificate". (Roughly characterized)
| SkeuomorphicBee wrote:
| I feel there is a big difference between a mandated
| warning label (California cancer labels), Vs a mandated
| endorsement like forcing browses to say that unsecure
| connection is secure.
| Jensson wrote:
| Sure there is a big difference, but not from the
| perspective of free speech. Both cases forces you to
| display a label even if you don't want to show it to
| people. It is understood that the label isn't your
| speech, hence it doesn't limit your free speech rights.
|
| You might object to this for other reasons, but free
| speech isn't a good reason.
| deadbunny wrote:
| I'm not sure I follow. How are EV certificates weak? They use
| the same cyphers and just have extra validation on the
| owner/domain.
| mikeiz404 wrote:
| It appears to be more of a UI issue where the legal entity
| name is shown along side or sometimes in place of the URL
| which can be misleading.
|
| To compound problems legal entity names are not required to
| be unique across states or countries so an EV certificate for
| a popular company name can be obtained in another geography
| and presented to the user on an attacker controlled domain.
|
| https://www.bleepingcomputer.com/news/security/extended-
| vali...
| sofixa wrote:
| > I'm not sure about the EU, but forcing browsers green-light
| weak security is a violation of the USA's 1st amendment freedom
| of speech. Regrettably I would not be surprised if EU took a
| more authoritarian stance.
|
| Care to expand on this? I have a hard time making any sort of
| connection.
| denton-scratch wrote:
| It's ultimately _my_ decision which certificates I will trust. I
| can choose to trust just one certificate, and ignore the Mozilla
| root store, or I can use Mozilla 's root store, and modify it.
| These are my decisions, not Mozzilla's.
|
| So this proposed regulation mandates that my browser must support
| QWAC, and include TSP roots? Does that mean that browsers MUST
| deprive me of the ability to control my root store? Would I be in
| violation if I modified my (open-source) browser so that it was
| no longer in compliance?
|
| Supposing I published my patch on a website outside the EU (e.g.
| in the UK)?
|
| To be clear, I don't want a root cert from any entity that is
| effectively controlled by a government, to be trusted by my
| browser. Some governments bother me more than others, (for
| example) a Turkish government-controlled CA was caught forging
| certificates. There's still a Turkish CA in there, I see; Debian
| have seen fit to remove it.
|
| It's all fine, the sky won't fall. _As long as I can still decide
| who I trust_.
| Jensson wrote:
| This is all the initial recommendations says about browsers and
| certificates, there is nothing about preventing browsers from
| allowing the users to configure this, just to have them support
| it (and most of this is already supported by browsers, this is
| mostly just a recommendation to force all browsers to implement
| site security):
|
| > To that end, web-browsers should ensure support and
| interoperability with Qualified certificates for website
| authentication pursuant to Regulation (EU) No 910/2014. They
| should recognise and display Qualified certificates for website
| authentication to provide a high level of assurance, allowing
| website owners to assert their identity as owners of a website
| and users to identify the website owners with a high degree of
| certainty.
|
| Edit: It also limits this to larger web browser providers in
| another part and only after 5 years. So people are free to run
| their own forks of browsers, so I doubt that it will be
| forbidden for browsers to just have a setting for specific sets
| of certs.
| denton-scratch wrote:
| Thanks.
| max_ wrote:
| >One of the most important ways in which browsers protect users
| is through website authentication. For instance, if a person
| wants to visit Europa.eu, the web browser must reliably ensure
| that the site is actually under control of the owner of the
| domain 'Europa.eu', and not an attacker on the network
| impersonating the European Commission's domain.
| phicoh wrote:
| I wonder why QWACs are less secure than DV.
|
| There is an argument why EV should be treated the same a DV I'm
| not buying that argument but for the moment let's accept it as
| true.
|
| However, now Mozilla is arguing that EV is less secure than DV.
| That seems weird to me.
|
| Currently, browsers have root certificates for lots of countries.
| I can imagine that for a country it becomes a huge problem if
| suddenly a major browser decides to reject certificates used by
| that country's government.
|
| Of course, it would be nice if country certificates could be
| restricted to country specific resources. Maybe mozilla should
| push for that.
| Jwarder wrote:
| I see two issues at play.
|
| Not all European CAs meet browsers' root programs requirements.
| Forcing everyone to accept those certs weakens all root
| programs (Mozilla's, Microsoft's, etc).
|
| There is also the concern that special indicators displayed
| with a certificate can mislead users. A scummy company with an
| EV cert isn't any more trustworthy than if they had a DV cert,
| but browsers want to be careful not to imply a fancy logo makes
| the site any safer.
| kjetil wrote:
| Are the TSP audit requirements less strict than what the
| browsers' root programs require?
| Jwarder wrote:
| Mozilla says so.
|
| https://drive.google.com/file/d/1DgJe-
| Ku4u66JF2D6zha28tSKxPB...
|
| I can't speak with authority, but my reading of PKI issues
| suggests Google is just as strict, while Microsoft and
| Apple are less strict. However, that just might be because
| MS and Apple are less public with their root programs.
| phicoh wrote:
| I doubt there is any text that browsers have to enable those
| certs by default outside the EU.
|
| It could weaken protection for people in the EU, but then the
| way forward is to make requirements for root certs mandatory
| in the EU.
|
| Maybe I missed it, but did the document require special UI
| elements for EU certs?
| sleevi wrote:
| Yes. It requires the EU Trustmark, a logo designed through
| a secondary-school competition, to be displayed with
| certain colors and sizing, as directed through Implementing
| Acts (which have the force of law, but decided at the
| Commission level).
| [deleted]
| Jensson wrote:
| > Not all European CAs meet browsers' root programs
| requirements.
|
| That sounds like a huge problem, why should EU trust that USA
| handles trust certificates well? Of course they would want to
| regulate this instead of leaving that extremely large
| security hole open, letting USA alone decide what counts as
| secure or not is not in EU's interests.
| Jwarder wrote:
| I think it is a legitimate concern in both directions. Who
| should users trust more: Mozilla or their local government?
| Some countries have tried to use local PKI to spy on
| citizens. Mozilla has taken steps in the past to prevent
| abuse. On the other hand, can Mozilla accept an Iranian CA
| even if they can match the root program's requirements?
|
| Amusingly, Mozilla rejected the US government's request to
| add the federal PKI to the root store.
| Jensson wrote:
| Trust in government is typically a lot higher in EU than
| most other parts of the world, so you can't really
| compare. I know Americans often wants private companies
| to protect them from governments, but in EU people
| typically wants their government to protect them from
| private companies. I trust my government way more than I
| trust Mozilla, Google, Microsoft and Apple combined, it
| isn't even close.
| syrrim wrote:
| Mozilla argues in their paper that once governments in
| one part of the world start forcing browsers include root
| certificates, governments in other parts of the world
| will start doing the same shortly after. You might trust
| your government more, but you certainly wouldn't trust
| arbitrary governments more.
|
| Furthermore, I have seen nothing wrong in mozilla's
| stewardship of the root certificate program in the
| decades it's been running, whereas mozilla points to
| deficiencies in the EU's certificate programs. This is to
| be expected since running a root store is not one of the
| EU's specialties. I would trust that government most that
| _defers_ to private companies in areas where they lack
| expertise.
| Jwarder wrote:
| Mozilla has identified issues with CAs that are part of
| eIDAS. The severity of these issues can be debated, but
| the nice part of Mozilla's root program is that these are
| publicly debated. For example, the community identified
| repeated issues with the CA Certinomis and after failures
| to improve they were distrusted. Is it a good thing that
| the EU says that doesn't matter and Certinomis certs must
| be trusted as part of eIDAS?
|
| https://drive.google.com/file/d/1DgJe-
| Ku4u66JF2D6zha28tSKxPB...
|
| https://wiki.mozilla.org/CA/Certinomis_Issues
| xorcist wrote:
| > Who should users trust more: Mozilla or their local
| government?
|
| Is that really a question to be taken seriously? One is a
| private organization, completely unaccounted for and in a
| foreign jurisdiction, who sets their own rules and
| follows up on themselves.
|
| The other is accountable and audited by independent
| auditors in a system which upholds separation of power
| and keeps independent media?
|
| (Just to clarify: Neither Mozilla or anyone else should
| accept QWAC or any other standard in the face of
| legitimate concerns, of course. That's not what trust
| means.)
| CircleSpokes wrote:
| No one said they should. The EU should at least meet the
| same if not better standards. Instead they are trying to
| make an objectively less secure system.
| advisedwang wrote:
| They're not saying EVs or QWACs are themselves less secure than
| DV. Rather they are saying that they aren't _more_ secure
| (because of difficulties interpreting them) and so leading
| users to place more trust in them can hurt the consumers.
| sleevi wrote:
| One element that results in less security is that it becomes
| more difficult to replace.
|
| For example, QWACs cannot legally be automated (e.g. via ACME),
| because of certain restrictions applied to needing to validate
| the natural or legal person making the certificate request.
| This actually was an issue for one CA (BuyPass) that tried to
| support ACME but ran afoul of the framework.
|
| While originally QWACs were proposed as optional, regulation
| such as PSD2 attempts to make them mandatory for (financial
| services) servers to obtain. If one of those keys is
| compromised, then the server wishing you obtain a replacement
| certificate may have to wait weeks to obtain such a
| certificate, or make an in-person visit to the CA (e.g. the
| post office).
|
| A considerable number of compromised or misissued certificates
| have failed to been revoked on the industry-agreed upon
| timelines (24 hours or 5 days, depending), because of
| challenges CAs have faced because their customers haven't (or
| legally can't) automate replacement, and because the additional
| information in the certificate requires manual validation,
| despite having no technical impact on the TLS connection.
| kjetil wrote:
| Not being able to automatically renew certificates seems like
| a rather minor point in the bigger picture.
|
| I get QWAC goes against the trend of phasing out EV certs.
| But isn't the real issue that the browsers don't trust TSP
| audits carried out for EU member states?
| phicoh wrote:
| Most browser vendors do business in the EU. And governments in
| general have a right to set standards for products and
| services.
|
| In some sense, Firefox could be an exception, because Mozilla
| doesn't seem to do a lot of advertising in the EU.
|
| It is not like Apple, Google, or Microsoft can say: we don't
| really care about the EU, we just remove the browser from
| products we distribute (directly or through third parties) in
| the EU.
| denton-scratch wrote:
| QWACS are untrustworthy because they can be issued by a CA that
| is not publicly audited.
|
| But the way I understand it, a QWAC is an identity certificate,
| issued to users, not to websites. AIUI, websites are to be
| compelled to accept such user-certs in lieu of a password.
| Well, I don't see what that has to do with the contents of the
| root store - that controls the website identities that my
| browser will accept, not the user-identity that the website
| accepts.
|
| I read the position paper, but not the regulation. I'd like to
| see a better explanation of the regulation.
| kjetil wrote:
| QWACs are for web sites, not users. CAs have to be audited as
| a TSP in order to issue them and be approved by the member
| state.
| MR4D wrote:
| Authoritarianism raises its head in all sorts of interesting
| ways.
|
| Interesting to see the EU choose the path of Kazakhstan.[0]
|
| [0] -
| https://www.internetsociety.org/news/statements/2019/interne...
| bogle wrote:
| I don't think QWACs are at all the same as state controlled
| root certificates. Browsers aren't going to show EV
| certificates.
| sleevi wrote:
| The proposed regulation requires that QWACs MUST be accepted
| and recognized as such, such as using the European List of
| Trusted Lists as part of the root store.
|
| That is, if a QWAC is issued by a CA that is not part of the
| browser root store, it must not be rejected (as any other
| untrusted certificate would be).
| theplumber wrote:
| A proper online identity framework is long due though. Maybe
| this is not the proper one but sending copies of my passport,
| electricity bills and lately selfie recordings as well to
| "prove my identity" doesn't seem right either.
| ostenning wrote:
| I guess that depends what you expect from society and
| government.
|
| Do you expect that everything runs like an extremely powerful
| well oiled machine, where 100% interoperability likely means
| complete surveillance? A seemingly technocratic dystopian
| reality where every impulse is quantified and catalogued? I
| think its naive to believe that governments don't want more
| money, power and control over its citizens and government
| likely will be extracting more with every optimization the
| system makes.
|
| Or would you rather an extremely powerful machine that is
| disjointed, highly flawed and laden with inconvenience in-so-
| that society doesn't really know who you are? Where the
| individual has more freedom and liberty, but as a result
| there is more crime and less "safety". A world where powerful
| anti-social forces are at play, such as disinformation
| campaigns, polarization of discourse, fringe movements and
| revolution.
|
| The commonality is they are both driven by technology. We
| have built an extremely powerful machine and that has
| introduced enormous complexity into our society. This
| complexity equates to entropy and either we pull it together
| with draconian government policy, or the system unravels.
| argomo wrote:
| Question: how will the free/liberal society (plagued by
| polarization, etc) fare against the dystopian ones?
|
| In the past we've been able to out-innovate and maintain
| moral leadership thru a fictional aspiration to democratic
| norms. Now state actors can run finely targeted propaganda
| campaigns and measure our engagement with them in real time
| while using extensive censorship measures to prevent us
| from doing the same to their populations.
|
| None of this invalidates your point, but the tables have
| been tilted and abstract discussions of freedom tend to
| avoid wrestling with the geopolitical ramifications.
| xoa wrote:
| Governments though can do that through their own passive
| demand. Ie., they can issue proper smartcards/tokens for
| citizens to identify themselves with, and then say that those
| can (and eventually must) be used for electronic interactions
| with the government itself (taxes being a big one but they'd
| easily be useful for a range of stuff). Follow/improve open
| standards. With something good, open and convenient private
| usage will naturally follow. Government can also by
| definition get involved with the issue of legal liability and
| fix BS like "identity theft" by shifting liability for
| businesses who do not meet good authentication standards.
| Doing it that way also creates room for fixing serious issues
| in practice before a natural rollout, as it starts by the
| government dogfooding its own standard. And if a lot of sites
| demand it, browsers will respond absent overwhelming reason
| not to, which itself is a good form of pressure to get said
| overwhelming reasons fixed.
|
| I'm very doubtful though that trying to just directly
| legislate how software universally works though bypassing
| process is a good idea. Massive room for abuse as well.
| slowmovintarget wrote:
| I think you touch on the issue.
|
| Having a standard for Identity Management seems reasonable.
| Mandating that such a state-regulated identity be used for
| all on-line data passing on the internet seems like a
| nightmare waiting to happen.
|
| That may not be the step in between "collect underpants"
| and "profit" but it feels like it's coming. In the U.S.,
| I'm sure something like this will be sold in the clothing
| of think-of-the-children.
| Jensson wrote:
| > Mandating that such a state-regulated identity be used
| for all on-line data passing on the internet seems like a
| nightmare waiting to happen.
|
| They didn't mandate that though, the proposal was that it
| should be possible to use it, not that everyone should be
| forced to use it. You would still be able to log in using
| other means.
|
| Basically, facebook would be required to provide you with
| the option to use e-id to log in. But you could still log
| in with other means. It just gives you more freedom.
| logifail wrote:
| > A proper online identity framework is long due though [..]
|
| You're entitled to your opinion but for me, it's a firm "No,
| thanks".
|
| I feel considerably more comfortable* carrying a paper
| document which proves my vaccination/negative test than I do
| using any kind of government-approved app on my phone.
|
| * that's putting it mildly
| dariosalvi78 wrote:
| looks like you haven't lived in 5 European countries and
| have to interact with all of them for things like taxes,
| pensions, vehicles registrations, and with mobile phones
| numbers that change, 2FAs that go crazy, passwords that
| expire etc. etc.
|
| Yes, a common electronic ID is an absolute godsend. Can't
| wait for it to be implemented on every fricking public
| administration website.
| indymike wrote:
| > A proper online identity framework is long due though.
|
| Due by whom, and for what?
| toomuchtodo wrote:
| For citizens who want efficient, effective access to
| services that require identity. The need for identity isn't
| going away, and a poor implementation doesn't guard against
| overreach.
| Tom4hawk wrote:
| In Poland you can do a lot of things digitally by
| authenticating on governments sites with your Bank
| (Imagine "Continue with your bank" instead of "Continue
| with Google" or "Continue with Facebook"). It's nice
| because bank already verified my identity when I was
| creating a bank account. I did not have to scan&send
| anything, go verify in some office etc. and I was able to
| do multiple things: change how my company is taxed,
| register for COVID vaccination, government census.
| AlexandrB wrote:
| Canada has this too for some government services like the
| tax system.
| denton-scratch wrote:
| > services that require identity
|
| Suppose I have my personal QWAC installed in my browser.
| Does this mean that I won't be able to visit $BIGSITE
| without authenticating and logging-in?
|
| That wouldn't make things more efficient - it would
| create friction, because I'd have to switch browsers if I
| wanted to visit a site that I didn't want to authenticate
| to; or do some settings fandango to disable QWAC before
| clicking a link.
| jeroenhd wrote:
| The EU is already doing that through eIDAS. It's
| basically a federated login system for government
| services that works (or at least, should already be
| working) across governments.
|
| The implementation is not that different from the "log in
| with Google/Facebook/Twitter/MySpace/Apple" buttons on
| many websites, though the login procedure is a bit more
| involved because of the sensitivity of the data.
| logifail wrote:
| > The need for identity isn't going away [..]
|
| My identity is just fine, but thanks for your concern :)
|
| I can walk into my local bank branch and ask to either
| pay in or withdraw money and they don't ask for any kind
| of ID(!), or my account number, becuase they actually
| know me :) They even tend to say "Hello $firstname" when
| I walk in, even if I only called in to use the ATM.
|
| Amazing how good ol'fashioned _offline_ identity can
| actually be secure.
|
| Try walking into my local branch with faked ID of me and
| attempting to withdraw funds from my account.
| nucleardog wrote:
| Why would someone try your local branch instead of any
| one of their 200 convenient nation-wide locations that
| all have access to your money and _don't_ know what you
| look like?
|
| Personal trust as a foundation for identity became an
| untenable option as soon as the modern age arrived and
| our world expanded beyond our immediate geographic area.
| Jensson wrote:
| Identify theft happens because you have weak online
| identity protections. Strong e-id systems as can be found
| in many parts of Europe almost completely fixes that.
| Where I live nobody is afraid of identity theft since you
| can't do anything just because you know someone's names,
| addresses or numbers.
| [deleted]
| Aerroon wrote:
| When this becomes widespread then you can expect to have to
| authenticate this way everywhere. Want to make a Twitter
| account? Please authenticate with your government ID.
| Facebook? Of course. Video games? You bet.
|
| South Korea already has these retirements for (some of) their
| video games.
| benjamir wrote:
| Yeah, and I never get asked by US companies to prove my
| identity with my credit card for adult content (which
| includes music videos from Laibach?!?!)... _yawn_ ...
| typical US hysteria about IDs, but commercial exploitation
| is all fine and dandy.
| sleevi wrote:
| The draft revisions actually propose such authentication to
| be mandatory to implement for service providers if their
| users would like to use it.
|
| That is, it specifically targets websites (particularly
| Very Large Online Platforms) that they MUST accept such ID
| in lieu of an email or password, at the user's request.
| This was part of the original motivation for the revisions,
| to target "Sign in with Facebook" or "Sign in with Google"
| and require such sites also offer a "Login with EU" option.
|
| Source: https://eur-lex.europa.eu/legal-
| content/EN/ALL/?uri=COM%3A20...
| Aerroon wrote:
| I'm saying it'll go even further than that though. If you
| want to use the service you will have to authenticate
| through this method. This is pretty much as perfect as it
| gets for any company trying to vacuum up data, because
| they will be able to uniquely identify every user. It's
| effectively the end of privacy by obfuscation, because
| you will have to identify yourself.
| Jensson wrote:
| They can already do that though, nothing is stopping them
| from adding this to their sites right now. EU already has
| e-id for people and companies can use that if they want.
| sleevi wrote:
| Yes, the current regulation is targeted at government
| sites authenticating citizens, but the goal with these
| revisions is to require VLOPs to support this, along with
| allowing them the ability to require this for all
| websites. The original roadmap called out by the European
| Agency for Cybersecurity (ENISA) suggests a long-term
| goal of making this mandatory, effectively reviving the
| idea of the "Internet drivers license" (for users) and
| "Authorized domestic website" (for servers).
|
| Source:
| https://www.enisa.europa.eu/publications/qualified-
| website-a...
| denton-scratch wrote:
| So $VLOP is compelled to accept QWAC user-certificates,
| if one user requests it? And QWAC user-certificates are
| issued by TSPs whose CA cert _must_ appear in the root-
| store unconditionally?
|
| That means there is nothing preventing $TSP from forging
| my certificate, and giving it to criminals/government-
| agents, and nothing to keep the TSP in line, because the
| single audit constraint is "Keep the Minister satisfied".
|
| I personally don't have a problem with the idea of
| replacing passwords with user-certs, _provided I get to
| generate my own cert with my own private key_. But the
| evidence is that general users can 't learn how to use
| certificates.
|
| I hate passwords, but I'd rather use passwords than a
| user-cert issued by an unreliable CA.
| Jensson wrote:
| The "unreliable CA" you are talking about here happens to
| be banks and similar. Do you trust that your bank doesn't
| just steal your money? Yes, you basically can't function
| in modern society if you don't. These e-id's just
| piggybacks on that trust to also work on online sign-ins.
| Most people worry more about their bank account being
| compromised than their github, so if these CA's (ie
| banks) starts to abuse their position we would have way
| bigger troubles than someone stealing your github
| accounts.
| denton-scratch wrote:
| I see, QWACs are to be issued by banks. And websites are
| required to trust them.
|
| So if the bank gets hacked, then presumably the EU will
| indemnify the relying website against any legal action
| for trusting an unreliable CA? Even if that website is in
| China/Russia/Belarus?
|
| You seem to have read the proposed regulation, Jensson;
| the information you've given is not in the position
| paper. Any chance of a summary?
| Jensson wrote:
| I've worked on identity infrastructure in an EU country,
| I know a lot of details how it works, the EU proposal is
| just an extension and merger of the local ones. I can
| just explain how the local ones works, I don't know the
| exact details of the EU proposal as I no longer work in
| that industry.
| sleevi wrote:
| The QWACs can be issued by anyone who meets the minimum
| requirements, which are substantially less than those
| required for TLS server CAs in browsers. So while it's
| true that banks can issue these, in practice there are
| many small companies with fewer than a thousand or so
| certs out there which have the same requirement that they
| must be accepted.
|
| The eID certificates do come with probative (legal)
| effect, but this is where it gets complicated.
|
| If the CA is hacked or screws up, yes, the CA is liable.
| But only if you did everything you were supposed to, such
| as checking every element of the certificate. These
| certificates have a variety of fields, such as "liability
| only up to XX euros", and you (the site or user) are
| liable if you use it for more than that.
|
| PSD2 has shown that the standards are a nightmare to
| fully implement. https://wso2.com/blogs/thesource/all-
| you-need-to-know-about-... gives a useful overview of how
| it's worked for PSD2, and the new Digital Identity
| Framework/eIDAS Revisions proposes to make that the
| approach the standard everywhere.
|
| In practice, this means that the server accepting your
| certificate needs to implement all of this correctly
| (spoiler: they don't), or they bear the liability if the
| CA gets hacked - and they can't distrust that CA. It also
| means the CA potentially learns every site you visit,
| because the sites have to check with the CA (if using
| OCSP).
|
| Of course, if the government themselves directed the CA
| to misissue - e.g. at the direction of law enforcement -
| no such liability would be presumed, because it was a
| presumably lawful issuance.
| denton-scratch wrote:
| Thanks. Your explanation is miles more informative about
| that than the original article.
| kwhitefoot wrote:
| We use BankID for this in Norway (and elsewhere in
| Scandinavia I think).
| emteycz wrote:
| This EU effort to control is ongoing for many years now, how is
| it in any way unexpected?
| furi wrote:
| Perhaps I'm out of the loop, but the EU attempting to make it
| illegal to distribute web browsers that don't include certain
| features is unexpected (and deeply worrying) to me.
| dahfizz wrote:
| The EU has been attacking encryption for years. To attack
| the browser's root certificates does not seem out of
| character.
|
| Deeply worrying, yes, but not unexpected.
| wahlis wrote:
| Where do you find the information that it will be illegal?
| furi wrote:
| The position paper linked in the article above says:
|
| > This is because through Article 45.2, the legislative
| proposal, in effect, mandates that browsers automatically
| include Trust Service Providers (TSPs) in their browser
| root programs.
|
| I haven't read the law in question but I would take
| "mandates" to imply that doing the opposite is somehow
| prohibited by the proposed law.
| Shadonototra wrote:
| They are protecting their interest
|
| Why should a foreign country have control over my
| interests?
|
| Why should Mozilla DECIDE what I should and shouldn't
| trust?
|
| I am very glad that the public opinion decided to not trust
| Firefox at all (3% market share today)
| plandis wrote:
| Mozilla doesn't decide that. Mozilla is an option _you_
| can chose to use. It's one of N options.
| Jensson wrote:
| But all large browsers happens to be American. It makes
| sense that EU wants to regulate this rather than hand
| over all decisions related to trust to USA.
|
| For example, imagine if all big browsers everyone uses
| where made in China, and mostly just trusted Chinese CA.
| Do you think that would be a problem? Do you think the
| rest of the world would just let that happen instead of
| starting to regulate it? That is the situation EU faces
| right now with American browsers.
| emteycz wrote:
| I never asked EU to do this for me, and don't want it. No
| government should have this power. Who did? I don't
| remember a single party having this in their program.
| Jensson wrote:
| If you don't like it then you can ask your country
| representatives to block it for your country, EU doesn't
| have the power to enforce anything locally. And if all of
| EU doesn't like it then you can vote out the people who
| did it and they will give new recommendations next cycle.
|
| EU is safe in that way since the people making the
| legally binding laws to enforce them aren't the same
| people making the EU laws, so everything has to go
| through at least two levels of elected representatives to
| actually take effect. This means that if EU wants to spy
| on you then your country can block it, and if your
| country wants to spy via this system on you then they
| have to get approval from EU at least. Either way EU is
| an improvement over just having your local
| representatives.
| emteycz wrote:
| Wrong since at least 2009. The EU has the right to force
| regulations and directives - if the country doesn't
| implement EU law correctly, the EU can sue the state,
| stop the flow of donations and place sanctions...
|
| The EU itself says so:
|
| - https://ec.europa.eu/info/law/law-making-
| process/applying-eu...
|
| - https://ec.europa.eu/info/law/law-making-
| process/applying-eu...
| 66fm472tjy7 wrote:
| Is the draft of the revision available anywhere? I don't see a
| link anywhere in the position paper. Article 45 in the current
| regulation[0] says nothing about browsers. I am curious about the
| exact language that would force Firefox support the technology
| and include the TSPs in their root store.
|
| [0] https://eur-lex.europa.eu/legal-
| content/EN/TXT/HTML/?uri=CEL...
| sleevi wrote:
| https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM%3A20...
___________________________________________________________________
(page generated 2021-11-17 23:01 UTC)