[HN Gopher] Some observations on the final text of the European ...
___________________________________________________________________
Some observations on the final text of the European Digital
Identity framework
Author : raybb
Score : 96 points
Date : 2023-11-24 17:38 UTC (5 hours ago)
(HTM) web link (blog.xot.nl)
(TXT) w3m dump (blog.xot.nl)
| asdffdasasdf wrote:
| > We were concerned about the phrasing of Article 45, that lays
| down a requirement for browsers to recognize any certificate ...
|
| So same as today but with less steps?
|
| Most govs are already in you browser/OS CA list. And every single
| government force you to download their own cert and add to your
| browser at some point. There's no way to add that cert and say
| "limit this to gov.in only"! after you added that cert it is game
| over.
|
| e.g. https://pki.treas.gov/crl_certs.htm
| https://www.bit.admin.ch/bit/en/home/themes/swiss-government...
| plus all the gov CAs already in your browser (looking at firefox
| source they include, guangdong, taiwan, honkkong, netherlands and
| Greece. IOS 16 contains spain, belgium, something called
| "Government Root Certification Authority 00 B6 4B 88 07 E2 23 EE
| C8 5C 12 AD A6 0E 06 A1 F2" :shrug, greece, hk, Netherlands,
| Switzerland.
| barbazoo wrote:
| > And every single government force you to download their own
| cert
|
| Is that true though? I've immigrated quite a bunch (western
| world only) and never had to download a certificate when
| interacting with the government.
| Maken wrote:
| They used yo. Now most governments just have their own
| "proper" CAs which are included by default in web browsers.
| If you look at the default CA list of Firefox or Chrome you
| will see most of them are public agencies.
| theonlybutlet wrote:
| I think Certificate transparency checks mean you should be
| able to tell if the certificate was fraudulently issued for
| a domain that is not with the CA. (This circumvents that.)
|
| In your scenario, if the domains CA is the government CA
| anyway, then it's fair game. Most domains' CA will be
| cloudflare or whatever not the government CA.
| asdffdasasdf wrote:
| here's one example, the brazil irs
| https://www.receita.gov.br/
|
| good lucky finding the cert if you didn't download your
| firefox in brazilian portuguese or didn't register you apple
| device in brazil. I mean, it is not difficult to find the
| cert, but it is a pain for travelers.
| grotorea wrote:
| The problem seems to be "wrong domain", not "CA not
| recognized". You sure you have the right URL?
| asdffdasasdf wrote:
| i'm mobile. probably got the wrong url. only have
| bookmarks for the ca certs https://www.gov.br/iti/pt-
| br/assuntos/repositorio/repositori...
| Astraco wrote:
| As far as I know my country doesn't force me to download any
| certificate, and Firefox doesn't have a cert issued by my
| government.
| ysofunny wrote:
| nonetheless your government can force your ISP to do so many
| things
| droffel wrote:
| Without a valid certificate, any ISP MITM attacks would be
| obvious
| Astraco wrote:
| Yeah, and send somebody to my house yo shot me in the head.
| But none of them is happening.
| the_mitsuhiko wrote:
| I'm curious though what CA your country uses for governmental
| services. Historically a lot of EU countries used some less
| than stellar CAs.
| Astraco wrote:
| My local government is using GlobalSign and the Tax Agency
| (and probably all of the central government) uses Entrust.
| kmeisthax wrote:
| Currently the default trust list in your browser is solely
| decided by your browser. More specifically there's an
| organization called the CA/Browser Forum where all the browser
| vendors are. If you want to become a CA today, you go to the
| Forum, submit your proposal, and then the browser vendors
| decide whether or not you're trustworthy. If a CA misissues
| certificates or otherwise screws up security, that evidence
| goes to the Forum and then browsers decide how to deal with
| that CA. Notably, in the worst case scenario, the browser
| developers can and _have_ decided to completely distrust an
| entire CA, completely destroying their business. This has
| happened multiple times.
|
| eIDAS changes this by, effectively, creating a special EU
| government analogue to the CA/Browser Forum. All browser
| developers in the EU _have_ to trust eIDAS 's CAs. This is a
| transfer of power from a voluntary industry consortium to
| appointed EU technocrats.
|
| All those existing government CAs are currently audited by
| CA/B. If Greece gets caught misissuing certificates they can
| have their CA roots revoked by the browser vendors. The concern
| is that under eIDAS, the EU could just not revoke the
| certificate, and the browser vendors' hands would be tied.
| They'd be forced to accept known bad CAs and every cert they
| sign, including the spyware ones.
| ko27 wrote:
| > This is a transfer of power from a voluntary industry
| consortium to appointed EU technocrats
|
| Or a transfer of power from US-centric companies to actual
| sovereign bodies. I don't want to live in a cyberpunk world.
| This sounds good to me. Note that browsers are still allowed
| to remove them if they are compromised.
| danielheath wrote:
| Browsers are allowed to ask permission to remove them if
| they are compromised.
|
| They still have to receive that permission before they can
| do it.
| dataking wrote:
| I believe it is well understood by now that users tend to
| ignore security warnings; anyone serious about computer
| security will not accept this as a solution. We don't
| even apply security-critical patches reliably.
| foota wrote:
| It's pretty much an open forum, you can go and read
| discussions where they've removed CAs. It's more oriented
| around the individuals than the companies.
| nonethewiser wrote:
| > Or a transfer of power from US-centric companies to
| actual sovereign bodies.
|
| Why are your characterizing the CA/Browser forum as US
| centric companies? Its a collection of certificate issuers
| from all over and notably includes European Accredited
| Conformity Assessment Bodies' Council and the European
| Telecommunications Standards Institute.
| Vinnl wrote:
| The thing is that you can currently choose which org to
| give that power, and at least so far, those orgs have acted
| in line with wanting you to choose them (i.e. on your
| behalf).
| Xymist wrote:
| I would far rather have things decided by US-centric
| companies than even somewhat influenced by France and
| Germany. At least the former have comprehensible
| motivations.
| rad_gruchalski wrote:
| Sovereign-my-ass when they can issue any cert and mitm
| anything without any recourse.
| dataking wrote:
| A reasonable concern here is that power is transfered from
| subject matter experts to technocrats with a poor track
| record of making technical decisions. Some recent examples
| of EU tech debacles include Quaero, Galileo, Gaia-X, Ariane
| 6.
| tsimionescu wrote:
| The game is not over just because you trust a CA. If they sign
| a certificate for a domain, they have to also publish that they
| did (in the CT logs) before browsers will accept it. If they do
| so for an entity that didn't ask for it, that will be
| investigated by browser and OS vendors and it may easily end up
| with the CA becoming untrusted.
| theonlybutlet wrote:
| Well this is it, they will no longer become untrusted. They
| can however, ask to have the offending certificate revoked if
| they have proof it's bad and once they have permission from
| the authorities (they kind of have to grant the permission if
| there's evidence but will be on the authorities timeline).
| neodypsis wrote:
| In my own country, for digital signature purposes, the official
| Windows installer provided by the government adds the country's
| Central Bank's CA for any purposes, even for software
| signatures. If you have a company, they also force you to use
| their own application for making some annual declarations. That
| software asks for your OS user password using a home-brew
| dialog so that it can update itself. If you don't provide the
| password then it blocks and you can't make the obligatory
| declaration. If you don't send said declaration, you are liable
| for big fines...
| theonlybutlet wrote:
| Well that's dystopian.
| neodypsis wrote:
| The same central bank is asking banks (and other entities)
| for unanonymized information about costaricans, including
| bank deposits, to publish an "information package" indexed
| by geographical location. This under the pretext of being
| required by the IMF. I found it curious that nobody in the
| legislative commission (akin to a "congressional hearing")
| tasked with looking into the matter has mentioned the
| importance of differential privacy.
| noodlesUK wrote:
| I'm curious what country this is, if you're willing to share.
|
| I'm surprised any business filing is using a desktop app
| rather than on the web these days.
| neodypsis wrote:
| Costa Rica. And before you can download some of the
| installers, they ask for your unique digital signature card
| number.
| neodypsis wrote:
| > I'm surprised any business filing is using a desktop app
| rather than on the web these days.
|
| It's a complete nightmare. If you want to use some other
| digital services you are restricted to specific browser
| versions, some only allow you to use Windows, and in some
| cases the unsigned installer is only available via HTTP.
| amluto wrote:
| I filed the obvious bug against Firefox ten years ago :(
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=953322
| ganzuul wrote:
| Weasel words. "Running additional security checks" is certainly
| going to mean the UI checks, not anything on the backend.
|
| Cookie banners happened because US devs didn't steelman EU regs.
| Petty territorial behavior. This looks like someone trying not to
| learn their lesson.
| nonethewiser wrote:
| > Cookie banners happened because US devs didn't steelman EU
| regs.
|
| What would steelmaning EU regs have looked like? Not really
| sure what you mean by this.
| logifail wrote:
| > What would steelmaning EU regs have looked like?
|
| A simple "decline [all]" / "accept" choice, not a huge list
| with dozens of sliders for dozens of options each labelled
| "legitimate interest" _all of which are set to "Accept" by
| default_?
| ganzuul wrote:
| A header to opt in instead of a banner...
|
| I'm sorry now I'm confused. Is UI design this hard? Is this
| neurotypical?
| tempodox wrote:
| Yes, stupid shit like punishing your users with abusive UI
| for regulations you dislike is neurotypical.
| Tuna-Fish wrote:
| Only use cookies to provide services that the user
| specifically asks you to provide. Never use the cookies to
| anything where the action wasn't initiated by the user. That
| way, nothing you do requires asking for consent and you don't
| need a stupid banner.
| agbrrw wrote:
| >Cookie banners happened because US devs didn't steelman EU
| regs.
|
| EU sites have the same amount of cookie banners as US ones.
| (ie, all major sites have one)
| dataking wrote:
| I frequently travel to the EU and the amount of cookie
| banners is decidedly higher.
| theonlybutlet wrote:
| So basically:
|
| Governments are being given authority to create dodgey
| certificates,
|
| Browsers can't take it down if discovered unless they have
| evidence it's being used and will be harmful, and
|
| Browsers need to advise and wait for the requisite approval [of
| authorities] for when the browser can take it down (i.e. the
| authorities can decide how long it stays up).
|
| Or am I missing something?
| Astraco wrote:
| I think they are just certs to identify yourself to EU or
| national insititutions for procedures (filling taxes and so),
| like the certs some European countries issue.
| sigilis wrote:
| The proposed certificate authorities can generate
| certificates for any entity, not just EU sites and not just
| new ones. They would have to be treated as valid, per the
| regulation.
|
| Trust is the critical component in the PKI infrastructure.
| When it's subverted and you can't just remove the offending
| authorities, then it's not really working properly anymore.
| INTPenis wrote:
| I'm speaking as a naive end user here. BankID in Sweden turns 20
| this year. I've been using it for 15 years. Started out as an app
| on Mac, Windows, now it's on your cellphone.
|
| People have critizied it but in 15 years I have yet to hear about
| a security issue with the app or the protocol. I have yet to hear
| about a problem with it.
|
| All I see are advantages.
|
| And Sweden isn't alone in using some sort of eID.
|
| So how come the EU can't just build on existing experience? Why
| are they making it more difficult?
| konschubert wrote:
| One disadvantage: As a temporary visitor to Sweden, since you
| don't have a personnummer, you're fucked.
| nextos wrote:
| Yes, this is a huge problem. In fact, when looking into
| Swedish jobs, you are usually advised to try to get a
| personnummer ASAP to make your relocation as smooth as
| possible. Denmark also has similar problems with their
| digital ID.
|
| Any unusual scenario turns into a nightmare. For instance, I
| moved abroad during their transition from a codecard to an
| app, and I lost access to my bank account and all ID-linked
| services despite warning my bank about the potential problems
| months ahead of the forced transition. The only way to regain
| access is to travel back to Denmark and visit my bank or my
| local council.
| dariosalvi78 wrote:
| an this is why a EU wide system is needed. I hold 3 digital
| identities (Spain, Italy and Sweden) and, believe me, it's
| not fun.
| nextos wrote:
| I agree, lack of standardization discourages freedom of
| movement.
|
| However, it is also necessary to make sure data privacy
| is factored in.
| DownGoat wrote:
| BankID is mostly snakeoil. It's not really much more than TOTP
| 2fa, where you have to have shown physical ID to some of the
| involved organizations at some point. All the stuff they do
| with keys is pointless in the end, and is just theatrics to
| make it sound safe.
|
| The providers holds all the keys, you cannot verify that a
| signature is legit yourself, you wont get access to the keys
| they use to sign things, and a cryptographic signature is not
| really the same as a normal signature on a document.
___________________________________________________________________
(page generated 2023-11-24 23:00 UTC)