hngopher.com

       [HN Gopher] What the QWAC? an EV Certificate all over again
       ___________________________________________________________________
        
       What the QWAC? an EV Certificate all over again
        
       Author : charleyablaze
       Score  : 27 points
       Date   : 2023-11-07 21:40 UTC (1 hours ago)
        
 (HTM) web link (scotthelme.co.uk)
 (TXT) w3m dump (scotthelme.co.uk)
        
       | thedaly wrote:
       | He leaked excerpts from the text but not the full document. I
       | would really like to read the actual full text document. The fact
       | that the European commission keeps the draft legislation secret
       | is concerning.
       | 
       | Is this the typical process for all EU regulation?
        
       | dang wrote:
       | Url changed from
       | https://twitter.com/Scott_Helme/status/1721905520788086836, which
       | points to this.
        
       | dang wrote:
       | Related ongoing thread:
       | 
       |  _Article 45 of eIDAS 2.0 will roll back web security by 12
       | years_ - https://news.ycombinator.com/item?id=38181114 - Nov 2023
       | (77 comments)
       | 
       | Also: (others?)
       | 
       |  _Joint statement of scientists and NGOs on the EU's proposed
       | eIDAS reform_ - https://news.ycombinator.com/item?id=38126997 -
       | Nov 2023 (63 comments)
       | 
       |  _Last Chance to fix eIDAS: Secret EU law threatens Internet
       | security_ - https://news.ycombinator.com/item?id=38109494 - Nov
       | 2023 (299 comments)
       | 
       |  _EFF about EU: EIDAS 2.0 Sets a Dangerous Precedent for Web
       | Security_ - https://news.ycombinator.com/item?id=33966364 - Dec
       | 2022 (44 comments)
       | 
       |  _EU legislation eIDAS article 45.2 may force inclusion of
       | insecure QWAC root CAs_ -
       | https://news.ycombinator.com/item?id=32093891 - July 2022 (36
       | comments)
       | 
       |  _Mozilla and the EFF publish letter about the danger of Article
       | 45.2_ - https://news.ycombinator.com/item?id=30549119 - March
       | 2022 (13 comments)
        
       | charleyablaze wrote:
       | The secret text of Article 45:
       | 
       | > I have access to the near-final text of the regulation, which
       | is not yet public, but was leaked to me by a confidential source.
       | 'qualified certificate for website authentication' means a
       | certificate for website authentication, which is issued by a
       | qualified trust service provider and meets the requirements laid
       | down in Annex IV;              Qualified certificates for website
       | authentication shall meet the requirements laid down in Annex IV.
       | Evaluation of compliance with those requirements shall be carried
       | out in accordance with the standards and the specifications
       | referred to in paragraph 3.
       | 
       | Qualified certificates for website authentication issued in
       | accordance with paragraph 1 shall be recognised by web-browsers.
       | Web-browsers shall ensure that the identity data attested in the
       | certificate and additional attested attributes are displayed in a
       | user-friendly manner. Web-browsers shall ensure support and
       | interoperability with qualified certificates for website
       | authentication referred to in paragraph 1
       | 
       | Qualified certificates for website authentication shall not be
       | subject to any mandatory requirements other than the requirements
       | laid down in paragraph 1.
       | 
       | 1. Web-browsers shall not take any measures contrary to their
       | obligations set out in Art 45, notably the requirement to
       | recognise Qualified Certificates for Web Authentication, and to
       | display the identity data provided in a user friendly manner.
       | 
       | 2. By way of derogation to paragraph 1 and only in case of
       | substantiated concerns related to breaches of security or loss of
       | integrity of an identified certificate or set of certificates,
       | web-browsers may take precautionary measures in relation to that
       | certificate or set of certificates
       | 
       | 3. Where measures are taken, web-browsers shall notify their
       | concerns in writing without undue delay, jointly with a
       | description of the measures taken to mitigate those concerns, to
       | the Commission, the competent supervisory authority, the entity
       | to whom the certificate was issued and to the qualified trust
       | service provider that issued that certificate or set of
       | certificates. Upon receipt of such a notification, the competent
       | supervisory authority shall issue an acknowledgement of receipt
       | to the web-browser in question.
       | 
       | 4. The competent supervisory authority shall consider the issues
       | raised in the notification in accordance with Article 17(3)(c).
       | When the outcome of that investigation does not result in the
       | withdrawal of the qualified status of the certificate(s), the
       | supervisory authority shall inform the web-browser accordingly
       | and request it to put an end to the precautionary measures
       | referred to in paragraph 2.
       | 
       | There is also recital text which I did not copy.
        
       ___________________________________________________________________
       (page generated 2023-11-07 23:00 UTC)