Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I fail to see the problem here. Their QWAC are root certificates that do not adhere to their idea of a "strict vetting approach". That sounds scary, until you realise all major browsers have happily accepted the LetsEncrypt-CA, when LetsEncrypt does no vetting at all.

To me this sounds like "have a little duck next to the padlock, make users understand that not all encryption is alike" could be a solution.

What am I missing?



I assume they’re referring to the CA/B Baseline Requirements, which the browser vendors take extremely seriously.

https://cabforum.org/baseline-requirements-documents/

But the OP webpage is so terrible that I’m really not sure what they’re talking about.


The problem is that it becomes mandatory for browsers to include a list of root certificates that may or may not conform to standards, and are not allowed under any circumstance to remove those root certificates. This means that in a case like DigiNotar (root CA of the national QWAC issuer compromised) it would be impossible for browsers to legally choose to secure their users and remove the compromised root from the trust list.

Additionally, eIDAS CA requirements and vetting have not been as strict as those in the CA/B Forum Baseline Requirements and the other documents related to DV/OV/EV certificate issuance.

Apart from that, there are known problems with QWAC (mostly related to name collisions, and the mostly manual process of vetting information being prone to errors), but that is generally a lesser issue than the above two.


> and are not allowed under any circumstance to remove those root certificates

Browsers would be forbidden from just deciding on their own to remove a root, but I imagine trust agents can lose their status and get removed from all browsers if they misbehave.

Decision on removal would lie with some EU agency though, not with individual browsers.

Do you have some more information about the actual differences between the requirements? I'd be interested to know and the article is certainly not telling them.

> mostly related to name collisions, and the mostly manual process of vetting information being prone to errors

What name collisions are those? If it's the old issue with confusing company names, the new certificates are supposed to contain a street address and a unique identifier to resolve that.


I hope the QWAC proposal at least has subdomain constraints.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: