> We were concerned about the phrasing of Article 45, that lays down a requirement for browsers to recognize any certificate ...
So same as today but with less steps?
Most govs are already in you browser/OS CA list. And every single government force you to download their own cert and add to your browser at some point. There's no way to add that cert and say "limit this to gov.in only"! after you added that cert it is game over.
e.g. https://pki.treas.gov/crl_certs.htmhttps://www.bit.admin.ch/bit/en/home/themes/swiss-government... plus all the gov CAs already in your browser (looking at firefox source they include, guangdong, taiwan, honkkong, netherlands and Greece. IOS 16 contains spain, belgium, something called "Government Root Certification Authority 00 B6 4B 88 07 E2 23 EE C8 5C 12 AD A6 0E 06 A1 F2" :shrug, greece, hk, Netherlands, Switzerland.
Currently the default trust list in your browser is solely decided by your browser. More specifically there's an organization called the CA/Browser Forum where all the browser vendors are. If you want to become a CA today, you go to the Forum, submit your proposal, and then the browser vendors decide whether or not you're trustworthy. If a CA misissues certificates or otherwise screws up security, that evidence goes to the Forum and then browsers decide how to deal with that CA. Notably, in the worst case scenario, the browser developers can and have decided to completely distrust an entire CA, completely destroying their business. This has happened multiple times.
eIDAS changes this by, effectively, creating a special EU government analogue to the CA/Browser Forum. All browser developers in the EU have to trust eIDAS's CAs. This is a transfer of power from a voluntary industry consortium to appointed EU technocrats.
All those existing government CAs are currently audited by CA/B. If Greece gets caught misissuing certificates they can have their CA roots revoked by the browser vendors. The concern is that under eIDAS, the EU could just not revoke the certificate, and the browser vendors' hands would be tied. They'd be forced to accept known bad CAs and every cert they sign, including the spyware ones.
> eIDAS changes this by, effectively, creating a special EU government analogue to the CA/Browser Forum. All browser developers in the EU have to trust eIDAS's CAs. This is a transfer of power from a voluntary industry consortium to appointed EU technocrats.
The flipside is that while it may be a "voluntary consortium", all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters etc. (and, more insidiously, US social pressure). When the next Snowden-style revelation comes out, what's to stop the US security apparatus from blocking sites associated with it? So yeah, I see more upside than downside in my browser having at least some accountability to the EU.
> All those existing government CAs are currently audited by CA/B. If Greece gets caught misissuing certificates they can have their CA roots revoked by the browser vendors. The concern is that under eIDAS, the EU could just not revoke the certificate, and the browser vendors' hands would be tied. They'd be forced to accept known bad CAs and every cert they sign, including the spyware ones.
I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority, just like you can't refuse to accept a Greek passport because you think it looks dodgy or you've never heard of Greece. If their government is issuing bad certificates, normal government accountability mechanisms apply, just like with countries that are known to sell citizenships to the wealthy. Again that seems right and proper.
> all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters
Those browsers are Open Source. (Well, Firefox is, and Chrome's core is even though Chrome isn't). If they tried to ship a MITM-enabling mechanism it'd be obvious.
> I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority
They're not the authority for arbitrary domains on the Internet, no. Only domains that have requested a certificate through that CA. This is what Certificate Transparency is for. If a Certificate Transparency log shows a CA (governmental or otherwise) issuing a certificate for somecompany.example, and the entity controlling somecompany.example didn't request that certificate, that CA has some explaining to do, and if the answer isn't "here's exactly what happened and how we'll make sure it can never happen again", the likely outcome is that browsers will stop trusting that CA.
The point of CT is that you can't silently issue MITM certificates without permanently burning an entire CA to do it.
EU governments will be even more subject to pressure from the US. I don't understand how anyone could doubt they will comply with every request from the US government.
The difference is that the current decision makers only have power because other people trust them voluntarily. That makes them accountable, and it means a whistleblower can do much more to limit the damage by leaking the fact they are giving after to US pressure.
A government can impose its will by force, so it is much less accountable and doesn't have to worry about the consequences of its decisions nearly as much. There is nothing I can realistically do if I object to a decision by a government unless I'm a large political donor because governments don't need my consent to operate.
> the current decision makers only have power because other people trust them voluntarily.
Not really. Plenty of EU citizens don't trust Microsoft, Google or Apple. But there's no practical alternative. The government of an individual EU country has a lot more accountability than that.
They can install an open-source OS/browser and ignore Microsoft, Google, and Apple. There is nothing they can realistically do when they don't trust a government.
Governments ultimately derive their power from their ability to impose their will by violence. That makes them inherently less accountable than organizations that you are free to ignore.
Someone who doesn't trust a government can move countries, particularly in the EU. I'd argue that it's actually easier to avoid a given EU government than to use an OS/browser combination that's not controlled by US entities.
That's frankly ridiculous. Moving countries is expensive, and there are a limited number of countries in the EU and the world. If you can't afford to move or don't trust any of them, you are out of luck.
Installing an open-source OS and browser is free and the options are practically unlimited as anyone is free to create a new alternative.
> Installing an open-source OS and browser is free and the options are practically unlimited
There's what, two and a half real options? Even open-source applications wilfully cut off any non-mainstream OS (see the whole systemd saga). "Anyone is free to create a new browser", sure, but in practice it's now so expensive that even Microsoft had to give up. I've absolutely got more practical choices of country.
I have no idea what you are talking about. There are literally infinite alternatives because you can freely modify any open-source alternative in infinite ways.
No one is going to kick down your door and shoot you if you try to make a new browser or OS from scratch, like they would if you tried to make a new government, but there is really no reason to make a browser from scratch.
Microsoft didn't need to trust Google to fork Chromium, they didn't give up any power to Google and have exactly the same ability to influence web standards as if they had reinvented the browser. If they disagree with a choice the Chromium developers made, they can change it and keep the rest. The same applies to anyone who wants to do the same.
When it comes to certificate authorities, you don't even need to modify the browser or OS because they already allow you to add and remove authorities. The main reason people don't tend to do that is because they have no reason to. If you tried to start a new one, the natural thing to ask would be why I should trust you over the established certificate authorities. If your answer is that I don't have a choice because you have the backing of an army and police force that you will use against me if I don't, it doesn't exactly fill me with confidence.
The current certificate authorities don't need to threaten anyone with violence to secure their position, and they operate with significantly more transparency than any government I know of. Compared to governments, they are also much safer to trust because they rely on consent rather than force. A compromised or malicious certificate authority won't shoot you for trying to replace it, it has no enforcement mechanism beyond inertia.
> When it comes to certificate authorities, you don't even need to modify the browser or OS because they already allow you to add and remove authorities. The main reason people don't tend to do that is because they have no reason to.
They're already starting to make it more difficult. Look at what's happening with DoH where it's harder and harder to choose how your DNS queries get done and you get steered to CloudFlare (who are pretty low on my list of entities I want to trust) instead. Now that browsers have mostly succeeded in forcing HTTPS everywhere, expect them to start turning the screws.
> The current certificate authorities don't need to threaten anyone with violence to secure their position, and they operate with significantly more transparency than any government I know of.
Really? Can I make a FoI request to find out why a CA refused to issue a certificate to a particular entity? Is there a right of appeal if they refuse to issue a certificate on discriminatory grounds?
> They're already starting to make it more difficult. Look at what's happening with DoH where it's harder and harder to choose how your DNS queries get done and you get steered to CloudFlare (who are pretty low on my list of entities I want to trust) instead. Now that browsers have mostly succeeded in forcing HTTPS everywhere, expect them to start turning the screws.
DoH doesn't interfere with your ability to choose your own DNS provider. It only means that your DNS queries are between you and your DNS provider, free from the interference of your ISP and other third parties. It provides greater user freedom because your ISP cannot as easily force you to use their DNS provider. Nothing stops ISPs from offering DoH and some (e.g. Comcast) do offer it. Users may however benefit from using a DNS that's not affiliated with their ISP because ISPs are more vulnerable to censorship demands from governments. Usually, when a government demands that an ISP censor a website, the ISP will simply block DNS queries regarding that domain, allowing users of other DNS providers to escape the censorship. This may of course not be a long-term solution, as governments may be more likely to demand different censorship methods if fewer use the IPS DNS.
As far as I'm aware, no one has suggested that DoH should be mandatory. It is a sensible default that improves the privacy and security of most users, but a user who decides that they do not want to use DoH can simply opt out in the settings. Likewise, HTTPS is not mandatory either, and browsers will not prevent users from accessing unsecure sites. They will however warn users to make sure they are aware of the risks. As far as I'm aware, browser vendors do not benefit from users using HTTPS everywhere. They encourage its use because it is generally beneficial to users.
> Really? Can I make a FoI request to find out why a CA refused to issue a certificate to a particular entity? Is there a right of appeal if they refuse to issue a certificate on discriminatory grounds?
A FoI request is just asking the government to give you information. They will never intentionally give you anything they do not want you to have. FoI laws tend to contain enough exceptions to cover any situation, but even if you should legally receive the information, there is nothing you can realistically do to make them provide it to you. Similarly, you can ask any organization for any information, and they can refuse. The same is true with appeals. You can ask an organization to reconsider its decision and for someone else in the organization to look at it, but the decision remains within the organization. The difference is what you can do once the decision has been finally made. Will the decision maker try to force me to adhere to their decision through violent means, or am I free to ignore them and try to convince others to do the same?
The main difference regarding transparency is that more information is made public by default in the current system (what good is the ability to request information if you don't even know that the thing you wanted to request information about happened?) and that decisions are made by several separate entities that need to justify their decisions to each other in order to maintain consensus.
> As far as I'm aware, browser vendors do not benefit from users using HTTPS everywhere. They encourage its use because it is generally beneficial to users.
Google (which is to say DoubleClick), which funds the majority of browsers, has a huge financial interest in HTTPS. They make their money on ad tracking, and it suits them to put a moat around that; privacy initiatives help them by making it harder for any new competitors to get hold of the same information they built their business on.
> DoH doesn't interfere with your ability to choose your own DNS provider.
It may not make it impossible but it makes it harder. You need a provider that supports DoH, and your browser will ignore your OS-wide DNS setting. Previously your default DNS provider would be an ISP that you'd picked; now the default is whoever's most profitable for your browser maker (you might say you pick your browser, but there's less real choice there than there is for ISPs, at least where I live).
> As far as I'm aware, no one has suggested that DoH should be mandatory. It is a sensible default that improves the privacy and security of most users, but a user who decides that they do not want to use DoH can simply opt out in the settings. Likewise, HTTPS is not mandatory either, and browsers will not prevent users from accessing unsecure sites. They will however warn users to make sure they are aware of the risks.
They won't do it all at once, but they're making it harder and harder to access non-HTTPS sites. It's gone from a clear warning to a block page where accessing the HTTP version requires multiple clicks on tiny text; the next step will be to make it require a config tweak to even get that tiny text at all, and then they'll say that their telemetry conveniently shows few people are using that config tweak (because who could imagine that the kind of people who would don't trust their browser maker would disable telemetry) so they're removing it. We've seen this whole playbook before. It'll be the same for DoH.
> A FoI request is just asking the government to give you information. They will never intentionally give you anything they do not want you to have. FoI laws tend to contain enough exceptions to cover any situation, but even if you should legally receive the information, there is nothing you can realistically do to make them provide it to you.
Governments are accountable to their citizens, not just in theory but in cultural practice, which is what really matters. If you get a bogus response to an FoI request then you can complain to your representatives, and if your representatives don't respond then you can vote them out. But more importantly, the clerk handling your request knows that their duty is to you, not their shareholders, and will generally act accordingly. And if they don't, there's a whole culture of whistleblowers, investigative journalists, activist judges and so on.
None of that exists for a private company CA where they're working for their shareholders and no-one expects them to do otherwise. Frankly even if it did leak out that a CA had refused to issue a certificate to someone who they just didn't like, it wouldn't even be a scandal unless you were lucky enough to catch the right moment where there was a social movement supporting that particular kind of person.
> This is a transfer of power from a voluntary industry consortium to appointed EU technocrats
Or a transfer of power from US-centric companies to actual sovereign bodies. I don't want to live in a cyberpunk world. This sounds good to me. Note that browsers are still allowed to remove them if they are compromised.
> Or a transfer of power from US-centric companies to actual sovereign bodies.
Why are your characterizing the CA/Browser forum as US centric companies? Its a collection of certificate issuers from all over and notably includes European Accredited Conformity Assessment Bodies’ Council and the European Telecommunications Standards Institute.
The thing is that you can currently choose which org to give that power, and at least so far, those orgs have acted in line with wanting you to choose them (i.e. on your behalf).
Can you though? The loose consensus model means there's little accountability and no practical way to opt out of listening to a particular entity that you don't trust. There are tales of essentially "someone with an @google.com email" being able to tell a CA to stop issuing certificates to particular undesirables, and the CA complying.
You can, to a limited extent. If e.g. Google were to start censoring news.ycombinator.com by blocklisting its CAs, I could switch browsers to view it anyway. (Or vice versa, if there's a big security issue and one browser (who still trusts the relevant CAs) was vulnerable and another one was not, I might then consider switching browsers.)
> If e.g. Google were to start censoring news.ycombinator.com by blocklisting its CAs, I could switch browsers to view it anyway.
You could if it got to that point, but the CA would almost certainly "voluntarily" stop issuing certificates to news.ycombinator.com rather than face the risk of being blocklisted, and there's no way for you to opt out of that.
It's pretty much an open forum, you can go and read discussions where they've removed CAs. It's more oriented around the individuals than the companies.
A reasonable concern here is that power is transfered from subject matter experts to technocrats with a poor track record of making technical decisions. Some recent examples of EU tech debacles include Quaero, Galileo, Gaia-X, Ariane 6.
On the other hand, the technocrats are beholden to actual elected officials, instead of the current situation where a group of random people selected by private companies coordinate their work by consensus without much formal structure and the members are beholden to nobody by their company boss.
Rule by consensus is basically democracy by whoever is motivated enough to show up. It seems to have an extremely good track record, especially compared with rule by central bureaucracy.
The exception is if the consensus is only among a small handful of large corporations that lack competition and then become the unaccountable technocrats. But in that case what you want from governments is not to take over as the malevolent bureaucracy, it's antitrust enforcement.
And those elected officials are beholden to the highest bidder. In the
current system, the people who make CA decisions acquired that power voluntarily and seem to have acted benevolently in the past, that's way more than you can say about government officials.
The current voluntary system is also very open, and anyone can get involved and participate to a much larger extent than people realistically can in an electoral democracy. To me, the voluntary system seems to be better and safer for everyone who doesn't have a very large amount of money to throw at elections.
What's your concern with Galileo? Many experts consider it to be the best GNSS currently available:[1]
> The US constellation isn’t as accurate as the newer networks, said Roberts, the Sydney-based professor. “It used to be GPS was out in front,” he said. Now, though, the EU’s Galileo is in the lead, with China’s BeiDou close behind, he said.
Thanks for backing up your point with a link. I agree that Galileo is more accurate than the much older GPS system. On the other hand, the GPS system became fully operational in 1995 as far as I understand, and the Galileo system is yet to be fully operational almost a decade after the original target date.
I would far rather have things decided by US-centric companies than even somewhat influenced by France and Germany. At least the former have comprehensible motivations.
I believe it is well understood by now that users tend to ignore security warnings; anyone serious about computer security will not accept this as a solution. We don't even apply security-critical patches reliably.
They used yo. Now most governments just have their own "proper" CAs which are included by default in web browsers. If you look at the default CA list of Firefox or Chrome you will see most of them are public agencies.
I think Certificate transparency checks mean you should be able to tell if the certificate was fraudulently issued for a domain that is not with the CA. (This circumvents that.)
In your scenario, if the domains CA is the government CA anyway, then it's fair game. Most domains' CA will be cloudflare or whatever not the government CA.
good lucky finding the cert if you didn't download your firefox in brazilian portuguese or didn't register you apple device in brazil. I mean, it is not difficult to find the cert, but it is a pain for travelers.
The game is not over just because you trust a CA. If they sign a certificate for a domain, they have to also publish that they did (in the CT logs) before browsers will accept it. If they do so for an entity that didn't ask for it, that will be investigated by browser and OS vendors and it may easily end up with the CA becoming untrusted.
Well this is it, they will no longer become untrusted. They can however, ask to have the offending certificate revoked if they have proof it's bad and once they have permission from the authorities (they kind of have to grant the permission if there's evidence but will be on the authorities timeline).
No, and the standard (RFC 6844) says they must not. That's because, in the eyes of the standard, a CAA record is applicable at time of issuance, but a valid certificate could have been previously issued (and still be valid), even though you've moved to a new CAA record for your next certificate.
"Relying Applications MUST NOT use CAA records as part of certificate validation."
For what you're looking for, DANE (RFC 6698) would be more useful and enable the browser to check the presented certificate against DNS (so effectively CAA on the client).
Even if they did, it doesn't really address the problem. In order to mount an effective impersonation attack, the attacker needs to either control the network or the DNS. In either case, they will generally be able to remove or change the CAA record; remember that DNSSEC deployment is comparatively rare and browsers do not verify DNSSEC in any case.
In my own country, for digital signature purposes, the official Windows installer provided by the government adds the country's Central Bank's CA for any purposes, even for software signatures. If you have a company, they also force you to use their own application for making some annual declarations. That software asks for your OS user password using a home-brew dialog so that it can update itself. If you don't provide the password then it blocks and you can't make the obligatory declaration. If you don't send said declaration, you are liable for big fines...
> I’m surprised any business filing is using a desktop app rather than on the web these days.
It's a complete nightmare. If you want to use some other digital services you are restricted to specific browser versions, some only allow you to use Windows, and in some cases the unsigned installer is only available via HTTP.
The same central bank is asking banks (and other entities) for unanonymized information about costaricans, including bank deposits, to publish an "information package" indexed by geographical location. This under the pretext of being required by the IMF. I found it curious that nobody in the legislative commission (akin to a "congressional hearing") tasked with looking into the matter has mentioned the importance of differential privacy.
I'm speaking as a naive end user here. BankID in Sweden turns 20 this year. I've been using it for 15 years. Started out as an app on Mac, Windows, now it's on your cellphone.
People have critizied it but in 15 years I have yet to hear about a security issue with the app or the protocol. I have yet to hear about a problem with it.
All I see are advantages.
And Sweden isn't alone in using some sort of eID.
So how come the EU can't just build on existing experience? Why are they making it more difficult?
I don't want my bank to be an ID provider. I don't trust any bank, the problem is I just can't do without them in this world. But I have no doubt their goals are opposite to my own. They datamine and exploit us.
In Holland the banks are trying to introduce their own id system too, called iDIN. But luckily the state system Digi-ID is still available too.
Fuck iDIN. Who even fame up with that? Why bring banks into the mix? We've had DigiD for what, also almost 20 years now? Why replace something that works well? iDIN doesn't even fix the main problem, which is being usable in other EU countries.
Banks have enough data already, plus, why make a group of business arbiters of ones online identity?
> Why bring banks into the mix? We've had DigiD for what, also almost 20 years now? Why replace something that works well? iDIN doesn't even fix the main problem, which is being usable in other EU countries.
It fixes the main problem for the banks which is that they were not involved. With iDIN they add another "selling point" for themselves, can sit at the table with government services as a provider and can monitor our behaviour more deeply.
It makes no sense as DigiD has worked OK (as a Dutch person living abroad it's certainly not perfect, especially the SMS 2FA option requirement for a Dutch number is super annoying, and the process of requesting access is a real PITA). At least there's an app now.
> Banks have enough data already, plus, why make a group of business arbiters of ones online identity?
It's a bad idea all around but the VVD government embraced it because they love business participation in everything.
Freja is an interesting topic for sweden. In many ways it is superior. It require either an passport or police issued id card, which it connects to using the embedded chip. It also seem to do manual checks by a human that look at the photo (taken by the app using the phone camera) and compares it to the id card. Bank id in comparison allows anyone who can log into the bank account.
That said, people do not like the wait for the manual check, and the app itself seem to get a lot of hate.
In my country you can login to your government services using a bank account (the easy way) and by creating a proper account with password and everything (the hard way). Or with a proper smart card if you really need it.
BankID has been a security nightmare with a lot of fraud. It's relatively easy to get a BankID in someone else's name, which then allows the fraudsters to do anything in your name, including stealing everything you have.[1]
This is a great example of when privatization is a bad idea. Fraud is clearly a loss for the society, but the banks couldn't care less. A more secure solution would cost more for them, and it's someone else who has to carry the burden.
Fortunately, BankID doesn't fulfill the EU's security requirements, so Sweden finally has to make a proper eID, despite the bank-friendly politicians (Sweden is very "pro-business") not wanting to.[2]
But the scam described in the first link is not much different than what is plaguing Microsoft Authenticator in phishing mails. Sending a QR code and getting someone to scan it to steal OTP access.
It's still much better than anything we had before, and it is after all 20 years old. So I can see that there is room for improvement.
Yes, this is a huge problem. In fact, when looking into Swedish jobs, you are usually advised to try to get a personnummer ASAP to make your relocation as smooth as possible. Denmark also has similar problems with their digital ID.
Any unusual scenario turns into a nightmare. For instance, I moved abroad during their transition from a codecard to an app, and I lost access to my bank account and all ID-linked services despite warning my bank about the potential problems months ahead of the forced transition. The only way to regain access is to travel back to Denmark and visit my bank or my local council.
I'm in the same boat, lost my BankID and with it everything it unlocks. I live 20000km from Sweden and can't easily make that trip, especially during the covid travel restrictions. Letters with notarised copies of ID were quickly dismissed by the bank. Hopefully I'll get there next year...
Conversely, when I cross the border into Denmark from Germany, lots of places accept only a danish payment system, to which you can only sign up with DANISH phone number!
These kind of services simply don’t care about the small percentage of tourists and expats that they exclude.
But I think the social externalities in terms of freedom of movement are significant and not priced in.
I’m not a fan of adding regulation but I think this is one of the places where it’s necessary.
At least your Spanish DNIe contains an X.509 certificate you can access via PKCS#11 that Just Works, both for authentication and signature. You can even use it for SSH!
Yeah I wish I could get one as a foreigner. I only get a shitty piece of green paper that doesn't last more than a few months in a wallet.
And I have to wait 10 years to change my citizenship over too. Now that the extreme-right party won the Dutch elections last week I'd really like to change it.
South Americans can change it over after only 5 years. But not EU citizens strangely.
Didn’t you get an NIE? I had one immediately (so did my whole family), the card wasn’t paper, and it was treated as identical to the Spanish ID. And yes it was super convenient certificates and all. I had to use the certs once and was afraid (due to past experience) but honestly it “just worked”.
Maybe EU citizens don’t get an NIE, though? I’m from further away.
That is a TIE, upon which is marked your NIE. There is no certificate installed in it that I know of, just the "normal" contactless biometric travel document stuff like a passport.
The green paper slip is a certificate of registration of EU citizen in Spain, upon which is also marked with their NIE.
You can get a digital certificate, such as the idCAT (the FNMT also issues them). I have mine loaded into a smart card because that's just how I roll, but either way it's equivalent to the DNIe; you can use it to authenticate to all the government agencies.
Can confirm. I just renewed my Spanish DNIe last summer and not only was the whole process super smooth and took only a few minutes, but the certificate works on Linux out of the box! DNIe was crap for many years, but credit where credit is due, it has improved a lot.
On the other hand I also have the Japanese digital ID card (マイナンバーカード), and what a piece of crap. If you ever hear that Japan is the most technologically advanced country in the world: no, it is not.
Japan was miles ahead in the early 2000s but as some say, being ahead can also be a burden. And as a deeply traditional society they tend to cling to things that work. I heard that even faxes are still used there. In Austria too by the way but that's more because of an obscure legal status thing.
That's not a consequence of being ahead, it's a consequence of enough time passing if you do it at all.
The more centralized a system is, the more it ossifies. The more people there are to get used to the status quo and incur large costs if anything changes, the more change gets fought. Third parties get their hooks into it, benefit from the status quo and put substantial resources behind preventing changes that are unambiguously improvements -- "institutions will try to preserve the problem to which they are the solution."
The only way to avoid it is to never build it to begin with. Or tear it down as soon as possible if you're too late to stop it from existing but not too late to have everyone fighting to preserve their rents if you try to get rid of it.
Spain invested on a standard infrastructure (client-side certificates) back in the days (early 2000 ?) and I am amazed by how simple, how well it works and how nobody else has thought about doing the same anywhere else (to my knowledge).
Well done Spain, at least on this.
Or, it isnt even an identity, just an account. I have one for my pension in France, and theyve been updating their systems and I can no longer enter addresses abroad. So I must leave it blank and never change any personal details because I'll fail the forms checks... I can't prove I'm me because it's just some account.
> One disadvantage: As a temporary visitor to Sweden, since you don’t have a personnummer, you’re fucked.
Walking through a park in Shanghai, I discovered that the many vending machines throughout the park will let you specify that you want to pay cash.
You can't actually pay cash, though; the slots that would accept it have been physically removed from the machines. The only way to get something out of one of the vending machines is to send the machine an online payment.
I'm pretty sure that for the use case where I want to receive a soda, we don't need digital payments at all. There is no need to involve the internet, because whoever gives me the soda must necessarily be in the same location where I am. The only thing wrong with the cash payment model is that someone went to special effort to disallow it.
In other digital-payments-in-China news, I just ordered some milk today from the store that is across the street from me. It's no great hardship for me to cross the street and buy the milk myself. However, the price of a third of a gallon of milk is 32 rmb. (USD $4.50). If I order it delivered, a courier will show up, buy the milk, and walk it up four flights of stairs to hand it over to me, and besides paying no delivery fee, my price per carton of milk falls to 22 rmb.
What really bothers me about this is that the bag came with a big receipt stapled to it showing that the delivery service paid the store 26 rmb per carton of milk. So the service was nice enough to cover the courier's fee for me at the same time that they paid me for everything I ordered through them.
Something somewhere is orchestrating a huge forced push for online payment. The economics clearly do not work on their own.
BankID is mostly snakeoil. It's not really much more than TOTP 2fa, where you have to have shown physical ID to some of the involved organizations at some point. All the stuff they do with keys is pointless in the end, and is just theatrics to make it sound safe.
The providers holds all the keys, you cannot verify that a signature is legit yourself, you wont get access to the keys they use to sign things, and a cryptographic signature is not really the same as a normal signature on a document.
Here in Switzerland we have SwissID and it's absolutely terrible.
It doesn't run on my phone because it's supposedly "rooted". I have a new Pixel phone with AOSP and the boot loader unlocked. The app behaves like malware or spyware because they make assumptions about end user devices.
Then they only support SMS based 2FA, none of the standards like TOTP or HOTP.
There is this weird sense of superiority or superior quality with the "Made in Switzerland" label. It may be true for a watch, but it's far from true when it comes to software and technology otherwise. Everything is mostly trash.
Well, the existing eIDAS stuff already provided for mutual recognition of eIDs between EU member states, i.e. someone with Swedish BankID can use it when interacting with digital services in the whole EU.
Singapore has a venerable public ID system also, SingPass. Its been around since 2003 in some form. I cannot comment on its verified security, but appears to be reasonably ok. Banks use their own authn systems though.
So here's a scenario I haven't seen brought up yet.
Elbonian hackers manage to steal the singing key of kneebonia who is part of the EU (and also does IT as well as you would expect a European national government to do) They start publishing a ton of their own certs and start MITM everything out the wazoo.
In the current environment this is noted by the community quickly they respond and revoke the Kneebonian cert, they understand what is happening, they understand why it is happening, they understand why it is bad and they have a vested interest in stopping it.
Compare under the EU rules. The browser vendors cannot now revoke the cert of their own violation without risking significant penalties. They start the process of trying to get it revoked. The individuals involved are largely beauracrats and civil servants the likes of Sir Humphrey. They do not understand the technical jargon they just know the nerds are getting upset. They'll work on discussing the proposed change by evaluating a written request in the Orwellian named "Committee for Public Internet Safety and Electronic Information Security and Cyber protection" this committee meets 3 times a year on March 31st, October 16th and February 29th. In the meantime the entire underlying security model of the internet is broken.
Now some might say "well if it's an emergency they'll respond immediately there will be public outcry and people's lives being ruined." And if it becomes a big deal the EU will act promptly, they will create a taskforce immediately whose job will be to create a recommendation for individuals to serve in a committee to investigate the source of the problem and create a list of possible remediations that could resolve the problem, which it will then present to the parent committee who will draft a response..... Etc etc ad infenitum until everyone involved with the matter has died of old age, and if you think I'm exaggerating when has EU done anything quickly?
Your case is exactly the same as some entity stealing the ability to issue passports for a country. Insinuating that people issuing national identifications don't understand the issue of forging said documents is some ridiculous techbro arrogance. We've been dealing with this shit for centuries and those "beaurocrats" you're insulting have probably gone through more more cases of fraud and forgery than you ever thought about in your life.
Someone issuing false passports has literally no effect on my life. On the other hand, a government being able to issue unauthorized certificates for gmail.com and browsers being helpless about it does.
> What would steelmaning EU regs have looked like?
A simple "decline [all]" / "accept" choice, not a huge list with dozens of sliders for dozens of options each labelled "legitimate interest" all of which are set to "Accept" by default?
Only use cookies to provide services that the user specifically asks you to provide. Never use the cookies to anything where the action wasn't initiated by the user. That way, nothing you do requires asking for consent and you don't need a stupid banner.
The problem is mostly in the enforcement. Most GDPR pop-ups do not actually comply with GDPR. And they only exist because companies wish to weasel out of stopping doing what the regulation is trying to stop them doing, and the lack of enforcement means they get away with it long enough people who don't have a clue just cargo-cult what the weasels are doing.
I also notice German sites constantly nag you, Dutch seems to be a little less obnoxious. What's also interesting is that Germany, sticklers if I've ever seen any, is full of nonconsentual walls where you "of your free will with no negative consequences to deny" have to click "consent" or become a paid subscriber. If the data protection authority or the law is to be believed, that's not freely given consent
Quite hilarious are the sites that outright block European IP addresses, as if that way they don't have to bother with the basic human right to privacy (article 8 ECHR). More sites should do this if they have no wish to play by these morals instead of having (legal or illegal) walls!
By my understanding of words, even the best 10% of cookie popups are mostly not really "freely given consent".
But I know I'm not a lawyer, and my lack of understanding of the technical jargon in law is likely to be similar to the lack of understanding of technical web jargon in the old screenshot of someone looking at the JS console by accident and thinking it was a secret police thingie: https://images.app.goo.gl/4SPUwbQ1uY2r5oHcA
>If the data protection authority or the law is to be believed, that's not freely given consent
It's not. You can report this to an appropriate civil authority and in theory it'll be resolved (possibly with a fine). In practice the authorities are still so overwhelmed by GDPR that they will only look at the most severe high profile cases. Fingers crossed one day it'll improve...
The discussion around eIDAS lacks the nuance of digital sovereignty. You can have issues all you want with the legal text, but what we have here is a one-sided take that completely ignores any aspirations to digital sovereignty. U.S. already has shown it is willing to use major infrastructure to deal with its adversaries. That was shown as it weaponized the SWIFT payments system. U.S. routinely seizes domains owned by its U.S.-based registries.
Browser vendors are not democratically ran institutions. One browser is owned by an ad broker and seller; the other browser is owned by an astroturfed* org that is 80% funded by the said ad broker and seller. Browsers not being allowed to stop their European users from accessing their European websites IS what I want. I do not want it to be possible for U.S. to coerce browsers to take out root stores to my bank, for instance.
And as for security requirements, that's just a load of BS. eIDAS is A+B, not A or B. The security requirements in the legal text are equivalent or higher that of cabforum's, minus the certificate transparency bit. And that's a fair critique. Such mechanism needs to be discussed and plausibly adopted. And we have the democratic institutions for that discourse. It's called ETSI. And browser vendors are welcome to participate in ETSI and give their suggestions of allowing certificate transparency. They aren't doing that; in good faith anyway! They're not participating in a democratic standards body, instead they're running propaganda campaigns trying to rile up their users.
To sum up, I want EU to gain digital sovereignty. Some of critiques are valid (I certainly don't like EV-style UI prescriptions), others are just bullshit. Bullshit we saw before GDPR. "The internet is going to be destroyed!". The internet wasn't destroyed. The internet is better after GDPR. Democratic institutions are good, ad funded browsers engaging in practices with zero accountability aren't.
*plausibly hyperbole; but I'm not sure seeing that Mozilla has shown itself to be useless, as it took pro-Google position in search engine anti-trust case
> The security requirements in the legal text are equivalent or higher that of cabforum's, minus the certificate transparency bit. And that's a fair critique. Such mechanism needs to be discussed
No, under no circumstances should browser vendors be forced to "discuss" the development and application of higher security standards with an adversary with a vested interest in holding those standards back. You cannot have a reasonable "discussion" with an entity that claims a regulatory veto.
Certificate Transparency is a great example: it's a reliable way to detect MITM certificates. "Here's an established industry standard for detecting improperly issued certificates and rejecting them to prevent interception of communication, allowing revocation of misused CAs." "So what happens when law enforcement uses a CA to issue a certificate for interception pertaining to a warrant?" "Like we said, it detects improperly issued certificates and rejects them to prevent interception of communications, so we'd detect that and revoke the CA." Further conversation after that point goes very differently depending on whether the governmental entity is empowered to veto or not.
> browser vendors are welcome to participate in ETSI and give their suggestions of allowing certificate transparency
"suggestions"? It's their software; any mechanism that attempts to prevent them from defining their own stronger security standards is broken and should be destroyed via every possible route.
If you want digital sovereignty, make a case for your requirements with the software people want to use. If that case is "we want to reduce security", you should lose; if you don't something is very wrong with the process.
Governments are being given authority to create dodgey certificates,
Browsers can't take it down if discovered unless they have evidence it's being used and will be harmful, and
Browsers need to advise and wait for the requisite approval [of authorities] for when the browser can take it down (i.e. the authorities can decide how long it stays up).
it helps to recall that ETSI, despite being some opaque standards org is made of people[1] like you and me (many not in Europe) who helped draft this abomination of a standard. This is disguised as digital identity but the interest groups are mostly law-enforcement, and the same crowd that is pushing "chatcontrol", and "regulating cryptography".
This "secret list" of experts is here[1].
And here is Tanja Lange's (repeated[2]) warning on this proposal:
>> I'm contacting you @LalicVedran & @JerkovicRomana about eIDEAS - as a cryptographer & concerned citizen. As said in eidas-open-letter.org/ & I presented in detail at the ENISA Article 19 working group it doesn't suit an open society to mandate trust. https://hyperelliptic.org/tanja/vortraege/QWACs.pdf
When Kazachstan[3][4] made people install a certificate in their citizen's browsers we (rightly) called them "Banana Republic". Look who is the Banana Republic now.
I think they are just certs to identify yourself to EU or national insititutions for procedures (filling taxes and so), like the certs some European countries issue.
The proposed certificate authorities can generate certificates for any entity, not just EU sites and not just new ones. They would have to be treated as valid, per the regulation.
Trust is the critical component in the PKI infrastructure. When it’s subverted and you can’t just remove the offending authorities, then it’s not really working properly anymore.
Seems like moving to something like DANE would be a good way forward. Seems like having the site owners tell the public what cert should be expected via DNS with appropriate signatures would obviate the need for CAs. (Yes I realize that this just moves the trust anchor to the DNS root authority, but it does reduce the number of authorities you need to trust).
Lots of things would help protect against this, but this regulation purports to prevent the browser vendor from implementing any stronger security mechanisms than those specified by the regulation. If DANE prevented a certificate from one of these governmental CAs from being accepted, this regulation would try to prevent using DANE.
I wonder if this would require browsers to allow government certs in place of their own pinned certs (e.g., chrome pins certs for google sites and maybe others I believe, if a non matching cert is used then the connection is rejected).
Well sort of, it allows government to create a falsified certificate for other sites like Google sites (man in the middle attack). When the browser forum/certificate authority wise up to it's use, they've then got to prove it's causing harm and get approval from authorities to remove it (authorities can take their sweet time responding to the request).
Sorry, I mean, browsers today ship with a list of sites that specify a cert that must be in the chain for it to be considered valid, e.g., only trust a facebook.com cert if it's from XYZ CA.
Depending on the wording of the law, it seems like it could require browsers to ignore this requirement for government issued certificates, hence bypassing the cert pinning and allowing them to intercept traffic to e.g., Facebook.
I'm not sure how many sites do this, I think Google's own do, and maybe some of the other big names use it as well, but I'm not certain.
The current version of this is basically like giving the government to issue passports for all countries. And preventing people accepting said passports as IDs from being able to say 'hey, this passport which claims you are the president of the US seems a little fishy'. Which seems pretty bonkers to me.
It would be impossible for them to force me to blindly accept a government issued ID card as true, and it would be insane for me to comply with such a demand. The same is true here, I won't run a browser or OS that complies with these regulations and as far as I can tell, they can't realistically make me.
The problem is if companies like Apple and Microsoft that make proprietary operating systems are forced to comply by the threat of import bans, etc. That would make their less technologically sophisticated customers vulnerable to completely unnecessary risks. The EU might not think the risks are unnecessary because they gain "sovereignty", but that only helps the EU and their member states, not 99.999% of the people who live in their territory.
Ultimately, I don't think this will be implemented. They can scream "sovereignty" as much as they want, but everyone else has an incentive to resist, and it would be even more harmful to their perception of sovereignty if both Microsoft and Apple say no and the EU faces the choice of either banning 99% of computers on the consumer market (and still be unable to force the remaining open source alternatives to meaningfully comply) or backing down to foreign organizations after a public confrontation.
It's hard to say whether that would be allowed because the regulation is written in such a vague language. There is a risk that such a system would be considered to be a precautionary measure under Article 45a-1.
This is an interesting point of view.
This also pertains to root certificates in browsers however.
Would a better way be not to setup a body to monitor certificates issued to police certificates for their own CA and ensure any offending certificate is immediately removed and to bring in laws to penalise the offending CA.
Instead they're prying a new threat vector open wide.
Yeah, I'm not sure if I fully agree with the method here either - it feels like it was helped by law enforcement a bit too much.
But I did want to make a point about why such paragraph exists and why it's not acceptable for EU to delegate CA policing to non-governmental industry bodies.
This is pretty browser specific. To sidestep this, we only need new chat and forum protocols with clients that don't require implementing every concievable data format handler from the last 35 years.
Probably on average actually true (microprocessors and the internet come to mind, creation of "modern" cash back in antiquity, the formal code of law, sanitation, etc.), but with some colossal disasters in there, too.
So same as today but with less steps?
Most govs are already in you browser/OS CA list. And every single government force you to download their own cert and add to your browser at some point. There's no way to add that cert and say "limit this to gov.in only"! after you added that cert it is game over.
e.g. https://pki.treas.gov/crl_certs.htm https://www.bit.admin.ch/bit/en/home/themes/swiss-government... plus all the gov CAs already in your browser (looking at firefox source they include, guangdong, taiwan, honkkong, netherlands and Greece. IOS 16 contains spain, belgium, something called "Government Root Certification Authority 00 B6 4B 88 07 E2 23 EE C8 5C 12 AD A6 0E 06 A1 F2" :shrug, greece, hk, Netherlands, Switzerland.