I fail to see the problem here. Their QWAC are root certificates that do not adhere to their idea of a "strict vetting approach". That sounds scary, until you realise all major browsers have happily accepted the LetsEncrypt-CA, when LetsEncrypt does no vetting at all.
To me this sounds like "have a little duck next to the padlock, make users understand that not all encryption is alike" could be a solution.
The problem is that it becomes mandatory for browsers to include a list of root certificates that may or may not conform to standards, and are not allowed under any circumstance to remove those root certificates. This means that in a case like DigiNotar (root CA of the national QWAC issuer compromised) it would be impossible for browsers to legally choose to secure their users and remove the compromised root from the trust list.
Additionally, eIDAS CA requirements and vetting have not been as strict as those in the CA/B Forum Baseline Requirements and the other documents related to DV/OV/EV certificate issuance.
Apart from that, there are known problems with QWAC (mostly related to name collisions, and the mostly manual process of vetting information being prone to errors), but that is generally a lesser issue than the above two.
> and are not allowed under any circumstance to remove those root certificates
Browsers would be forbidden from just deciding on their own to remove a root, but I imagine trust agents can lose their status and get removed from all browsers if they misbehave.
Decision on removal would lie with some EU agency though, not with individual browsers.
Do you have some more information about the actual differences between the requirements? I'd be interested to know and the article is certainly not telling them.
> mostly related to name collisions, and the mostly manual process of vetting information being prone to errors
What name collisions are those? If it's the old issue with confusing company names, the new certificates are supposed to contain a street address and a unique identifier to resolve that.
To me this sounds like "have a little duck next to the padlock, make users understand that not all encryption is alike" could be a solution.
What am I missing?