So, how close are we to having to compile our own browsers to ensure we can still use valid certificates? And which CAs will be trustworthy after this?
Recognition means that web browsers are required to ensure support and interoperability for the QWAC for the sole purpose of displaying identity data in a user-friendly manner. *Recognition of QWACs implies that browsers shouldn't question the origin, integrity or data in the certificate*.
However, the requirement to recognise QWACs does not affect browser security policies and leaves web browsers free to preserve their own procedures and criteria for encryption and authentication of *other certificates*.
The digital certificate mandate ideas for browsers is pretty concerning, IMHO. But I'm not sure yet what will be in the final bill that will be voted on.
I will have to see my MEP in order to start setting up real life technical Big Tech regulation.
We'll start with interoperability with basic email, noscript/basic (x)html, and maybe IRC or a super simple HTTP 1.1 based protocol to have a interaction push oriented protocols. For audio/video calls, we don't have ultra-simple protocols, we would need to design some.
Although the press releases mentions eID only (it's different than eIDAS), there's a part that seems worrying and this could mean that eIDAS was finally approved behind closed doors:
> Finally, the revised law clarifies the scope of the qualified web authentication certificates (QWACs), which ensures that users can verify who is behind a website, while preserving the current well-established industry security rules and standards.
The title is wrong, the agreement isn't about that part, but from what I understand yes. Basically the browser should be agnostic. From my limited knowledge, unless the news reach enough people, that part might stay. If the news reach a mainstream (or a politically significant) media, it will probably be removed.
I'll use my limited knowledge earned by participating to pointless meetings (and interest meals) in Brussels, with bureaucrats, to explain how easy it is to prevent the QWACs part to be put into law.
There is a point you have to understand: European politics are not like the US. It's more 'representative' in the sense that you don't have hard party lines on 95% of the issues, and less because like 30% of the population vote. Still, MEPs can mostly vote as they like.
The bill isn't liked. All accross the parliament, individuals members will vote against. The far-right will vote against, as will most of the 'hard right'. A small part of the conservative right will also vote against: the issue is around the 'European identity' part of the bill (and lately some EPP people seem less federalist than they used to). 'The Left' (the party, hard left and associated) might vote against, they are big on privacy but also they see how the bill will help (not the QWACs part, the eID part) bureaucracy-adverse workers.
So now, the support: you have EPP, Renew, the socialists (forgot the group name) and the greens. It'll be impossible to convince Renew to drop the QWACs part. They are the 'liberal' right, but despite calling themselves liberals, they're not big on liberties, the party lines won't change. For EPP, you might convince one or two more, but the party line won't bulge (they are really friendly with the commission).
The two parties we can convince are the socialists and the greens. We need a center-left/green journal to push back on the QWACs part of the bill. The green might be hard to convince (they seems to have replaced most of their competent MPs with pro politicians in the last 10 years, it's hard to admit for me but I would trust an EPP member more than a green member right now), but we might make it.
Why do you editorialize the title? Especially a press release.
> please use the original title, unless it is misleading or linkbait; don't editorialize.
https://news.ycombinator.com/newsguidelines.html