[HN Gopher] What the QWAC? an EV Certificate all over again ___________________________________________________________________ What the QWAC? an EV Certificate all over again Author : charleyablaze Score : 27 points Date : 2023-11-07 21:40 UTC (1 hours ago) (HTM) web link (scotthelme.co.uk) (TXT) w3m dump (scotthelme.co.uk) | thedaly wrote: | He leaked excerpts from the text but not the full document. I | would really like to read the actual full text document. The fact | that the European commission keeps the draft legislation secret | is concerning. | | Is this the typical process for all EU regulation? | dang wrote: | Url changed from | https://twitter.com/Scott_Helme/status/1721905520788086836, which | points to this. | dang wrote: | Related ongoing thread: | | _Article 45 of eIDAS 2.0 will roll back web security by 12 | years_ - https://news.ycombinator.com/item?id=38181114 - Nov 2023 | (77 comments) | | Also: (others?) | | _Joint statement of scientists and NGOs on the EU's proposed | eIDAS reform_ - https://news.ycombinator.com/item?id=38126997 - | Nov 2023 (63 comments) | | _Last Chance to fix eIDAS: Secret EU law threatens Internet | security_ - https://news.ycombinator.com/item?id=38109494 - Nov | 2023 (299 comments) | | _EFF about EU: EIDAS 2.0 Sets a Dangerous Precedent for Web | Security_ - https://news.ycombinator.com/item?id=33966364 - Dec | 2022 (44 comments) | | _EU legislation eIDAS article 45.2 may force inclusion of | insecure QWAC root CAs_ - | https://news.ycombinator.com/item?id=32093891 - July 2022 (36 | comments) | | _Mozilla and the EFF publish letter about the danger of Article | 45.2_ - https://news.ycombinator.com/item?id=30549119 - March | 2022 (13 comments) | charleyablaze wrote: | The secret text of Article 45: | | > I have access to the near-final text of the regulation, which | is not yet public, but was leaked to me by a confidential source. | 'qualified certificate for website authentication' means a | certificate for website authentication, which is issued by a | qualified trust service provider and meets the requirements laid | down in Annex IV; Qualified certificates for website | authentication shall meet the requirements laid down in Annex IV. | Evaluation of compliance with those requirements shall be carried | out in accordance with the standards and the specifications | referred to in paragraph 3. | | Qualified certificates for website authentication issued in | accordance with paragraph 1 shall be recognised by web-browsers. | Web-browsers shall ensure that the identity data attested in the | certificate and additional attested attributes are displayed in a | user-friendly manner. Web-browsers shall ensure support and | interoperability with qualified certificates for website | authentication referred to in paragraph 1 | | Qualified certificates for website authentication shall not be | subject to any mandatory requirements other than the requirements | laid down in paragraph 1. | | 1. Web-browsers shall not take any measures contrary to their | obligations set out in Art 45, notably the requirement to | recognise Qualified Certificates for Web Authentication, and to | display the identity data provided in a user friendly manner. | | 2. By way of derogation to paragraph 1 and only in case of | substantiated concerns related to breaches of security or loss of | integrity of an identified certificate or set of certificates, | web-browsers may take precautionary measures in relation to that | certificate or set of certificates | | 3. Where measures are taken, web-browsers shall notify their | concerns in writing without undue delay, jointly with a | description of the measures taken to mitigate those concerns, to | the Commission, the competent supervisory authority, the entity | to whom the certificate was issued and to the qualified trust | service provider that issued that certificate or set of | certificates. Upon receipt of such a notification, the competent | supervisory authority shall issue an acknowledgement of receipt | to the web-browser in question. | | 4. The competent supervisory authority shall consider the issues | raised in the notification in accordance with Article 17(3)(c). | When the outcome of that investigation does not result in the | withdrawal of the qualified status of the certificate(s), the | supervisory authority shall inform the web-browser accordingly | and request it to put an end to the precautionary measures | referred to in paragraph 2. | | There is also recital text which I did not copy. ___________________________________________________________________ (page generated 2023-11-07 23:00 UTC)