EU's Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework

from the just-stop dept

The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, which, in theory, is supposed to do some useful things regarding interoperability and digital identities. This could be really useful in enabling more end user control over identity and information (a key part of my whole Protocols, Not Platforms concept). But the devil is in the details, and the details are a mess.

It would force browsers to support a specific kind of authentication certificate — Qualified Web Authentication Certificates (QWACs) — but as Mozilla points out, that would be disastrous for security:

At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired – namely, extended validation certificates – lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.

As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla’s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community’s ability to push back against authoritarian regimes’ interference with fundamental rights (see here and here for two recent examples).

As Mozilla notes, the EU can still fix this. Whether or not it does is an open question.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EU's Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework”

Subscribe: RSS Leave a comment
11 Comments
Scary Devil Monasterysays:

Crap like this...

…is why I’m leaning toward the EU not being sustainable. Too many inept morons with dunning-kruger in positions of authority to change stuff they don’t understand in order to cater to a vision of the world which wasn’t even true thirty years ago when they first learned that technology was a thing.

This is why we can’t have nice things. The village idiot gets to make decisions for the village.

ECAsays:

Re: Re: Crap like this...

The EU is independent of the nations they are ???
Each nation in Europe had to supply 1-2 people to the EU to regulate things for each country.
Most of Europe has Problems with the Euro Union. 1 group deciding What the whole of these nations can and cant do, and they are being paid Good money, to do the same thing those In country are supposed to be doing.

Scary Devil Monasterysays:

Re: Re: Crap like this...

"The european union might be slightly larger than your average village."

The extended metaphor – every nation sending its village idiots to govern the EU – doesn’t really make it better. An empire run entirely by the court jesters and the "touched" rounded up and exiled from the courts of the member states who all watch the plague of the land toddle off to Brussels while drawing sighs of relief.

Vikarti Anatrasays:

Main issue from actual Mozilla's PDF


Unfortunately the 2021 regulatory proposal makes the risks associated with the QWAC framework much more dramatic, and will lead to a regression in the security assurances that users have come to expect from their browsers. This is because through Article 45.2, the legislative proposal, in effect, mandates that browsers automatically include Trust Service Providers (TSPs) in their browser root programs. ‘Trust Service Providers’ (TSPs), in this context, are essentially Certificate Authorities (CAs) that can issue QWACs under the eIDAS regime. These TSPs are notified by member states and as Mozilla has highlighted in the past, many of them do not meet the criteria required to also be included in our Root Store. By mandating that TSPs be supported by browsers in general, and in particular when they fail to meet the security and audit criteria of their root program, Article 45.2 will negatively transform the website security ecosystem in a fundamental way. This is outlined in the following subsection in more detail

As far as I understood this means that browser’s root stores must use CAs for ‘special’ https certificates from CAs which have nothing to do with being open and accountable to public. They also can be insecure.
Another possible is that this it would be more hard to found reason other than ‘we don’t trust your goverment’ to NOT accept Chinese’s (or Burmese(https://www.techdirt.com/articles/20211114/17280147944/updated-myanmars-military-junta-sentences-american-journalist-to-eleven-years-prison.shtml ) version of it).

All borwser

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it