I know it’s probably something wrong with me but where can I find this proposed legislation (containing this sinister article 45) and read it? Also, if it is really true, I don’t understand how any country in Europe would agree to this. Will eg. Hungary be able to create a new certificate for riksdagen.se and browsers in the whole Europe will just accept it? Or is there any more detail to this story?
Also, if it is really true, I don’t understand how any country in Europe would agree to this. Will eg. Hungary be able to create a new certificate for riksdagen.se and browsers in the whole Europe will just accept it? Or is there any more detail to this story?
It looks as if this is another case of well-intentioned legislation being written by people with no understanding of the subject at hand and without proper consultation. I believe (judging from the analysis in the letters) the intent was to require that EU countries are able to host CAs that are trusted in browsers, without the browser vendors (which are all based outside the EU) being able to say ‘no, sorry, we won’t include your certificate’. Ensuring that EU citizens can get certificates signed without having to trust a company that is not bound by the GDPR (for example) is a laudable goal.
Unfortunately, the way that it’s written looks as if it has been drafted by various intelligence agencies and introduces fundamental weaknesses into the entire web infrastructure for EU citizens. It’s addressing a hypothetical problem in a way that introduces a real problem. I’m aware that any sufficiently advanced incompetence is indistinguishable from malice, but this looks like plain incompetence. Most politicians are able to understand the danger if US companies can act as gatekeepers for pieces of critical infrastructure. They’re not qualified to understand the security holes that their ‘solution’ introduces and view it as technical mumbo-jumbo.
Ensuring that EU citizens can get certificates signed without having to trust a company that is not bound by the GDPR (for example) is a laudable goal.
As far as I am aware of, the real reason for this is to facilitate citizen access to public services using certificates that actually certify to citizens that they are in fact communicating with the supposed public organization.
EU would be served well by a PKI extension that would allow for CAs that can only vouch for a limited set of domains where the list of such domains is public and signed by a regular CA in a publicly auditable way.
Or even simpler, they could just define a standard of their own with an extra certificate for the regular certificate. Then they could contribute to browsers some extra code that loads a secondary certificate and validates it using a different chain when a site sends a X-From-Government: /path/to/some.cert header and displays some nice green padlock with the agency name or something.
Looking how misguided this legislation is, I’m not sure if these agencies are from any European country. This level of incompetence feels utterly disappointing. Politicians should be obliged to consult experts in a domain that given new legislation affects. I also don’t understand what’s so secret about it that justifies keeping it behind closed doors. Sounds like an antithesis of what EU should stand for. Perfect fuel for some people that tend to call EU 2nd USSR and similar nonsense like this.
Looking how misguided this legislation is, I’m not sure if these agencies are from any European country
It depends. Several EU countries have agencies that clearly separate the offensive and defensive parts and this is the kind of thing that an offensive agency might think is a good idea: it gives them a tool to weaken everyone.
Politicians should be obliged to consult experts in a domain that given new legislation affects
This is tricky because it relies on politicians being able to identify domain experts and to differentiate between informed objective expert opinion and biases held by experts. A lot of lobbying evolved from this route. Once you have a mechanism by which politicians are encouraged to trust outside judgement, you have a mechanism that’s attractive for people trying to push an agenda. I think the only viable long-term option is electing more people who actually understand the issues that they’re legislating.
I also don’t understand what’s so secret about it that justifies keeping it behind closed doors. Sounds like an antithesis of what EU should stand for
The EU has a weird relationship with scrutiny. They didn’t make MEPs voting records public until fairly recently, so there was no way of telling if your representative actually voted for or against your interests. I had MEPs refuse to tell me how they voted on issues I cared about (and if they’d lied, I wouldn’t have been able to tell) before they finally fixed this. I don’t know how anyone ever thought it was a good idea to have secret ballots in a parliamentary system.
I think the only viable long-term option is electing more people who actually understand the issues that they’re legislating.
This is the sort of thing that an unelected second chamber is better at handling. Here’s an excerpt from an interview with Julia King, who chairs the Select Committee on Science and Technology in the UK’s House of Lords:
You get a chance to comment on legislation because we are a revising chamber. We’re there to make legislation better, to ask the government to think again, not to disagree permanently with the government that the voters have voted in because we are an unelected House, but to try and make sure that legislation doesn’t have unintended consequences.
You look at the House of Commons and there’s probably a handful now of people with science or engineering backgrounds in there. I did a quick tot up - and so it won’t be the right number - of my colleagues just on the cross-benches in the House of Lords and I think there must be around 20 of us who are scientists, engineers, or medics. So there’s a real concentration of science and engineering in the House of Lords that you just don’t get in the elected House. And that’s why I think there is something important about the House of Lords. It does mean we have the chance to make sure that scientists and engineers have a real look at legislation and a real think about the implications of it. I think that’s really important.
I think the only viable long-term option is electing more people who actually understand the issues that they’re legislating.
I don’t see how this could ever be viable given existing political structures. The range of issues that politicians have to vote on is vast, and there just aren’t people that exist that are simultaneous subject matter experts on all of them. If we voted in folks that had a deep understanding of technology, would they know how to vote on agriculture bills? Economics? Foreign policy?
You don’t need every representative to be an expert in all subjects, but you need the legislature to contain experts (or, at least, people that can recognise and properly interrogate experts) in all relevant fields.
I’m not sure if it’s still the case, but my previous MP, Julian Hubert, was the only MP in parliament with an advanced degree in a science subject and one of a very small number of MPs with even bachelors degrees in any STEM field. There were more people with Oxford PPE degrees than the total of STEM degrees. Of the ones with STEM degrees, the number that had used their degree in employment was lower. Chi Onwurah is one of a very small number of exceptions (the people of Newcastle are lucky to have her).
We definitely need some economists in government (though I’ve yet to see any evidence that people coming out of an Oxford PPE actually learn any economics. Or philosophy, for that matter), but if we have no one with a computer science or engineering background, they don’t even have the common vocabulary to understand what experts say. This was painfully obvious during the pandemic when the lack of any general scientific background, let alone on in medicine, caused huge problems in trying to convert scientific advice into policy decisions.
Because as with all legislation here, every person involved cannot understand the threat model. They believe that obviously this will only do good things, and don’t understand that different places have different ideas of what is “good”. They similarly don’t understand that the threat model includes people compromising the issuer, and don’t understand that given the power of their own CAs they will be extremely valuable, and also part of a section of all governments is generally underfunded.
Fundamentally they don’t understand how trust works, and why the CARB policies that exist, exist.
I don’t know what’s in the proposed legislation, but the version of eIDAS that was published in 2014 already contains an Article 45 about certificates (link via digital-strategy.ec.europa.eu):
Article 45 - Requirements for qualified certificates for website authentication
Qualified certificates for website authentication shall meet the requirements laid down in Annex IV [link].
The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2) [link].
I suppose the proposed legislation makes this worse.
In future, if Mozilla is doing official things on domains unrelated to any existing project domain, it would be helpful to:
Link to that domain from one of the official domains
Have a link in the thing on that domain pointing to the place Mozilla links from it.
Doing this would mean that, in two clicks, readers can validate that this really is Mozilla-endorsed and not someone impersonating Mozilla. Training Mozilla users that anyone who copies and pastes the Mozilla logo is a trusted source is probably not great for security, in the long term.
I, too, question whether this page was really written by Mozilla, but I did confirm that Mozilla and other companies really do oppose Article 45 of eIDAS.
Their calls have also been echoed by companies that help build and secure the Internet including the Linux Foundation, Mullvad, DNS0.EU and Mozilla who have put out their own statement.
Some other parties published blog posts against eIDAS Article 45 today:
And at the bottom, yet it’s not on a Mozilla domain, it doesn’t name any Mozilla folks as authors, and the domain it is hosted on has fully redacted WHOIS information and so could be registered to anyone. I can put up a web site with the Mozilla logo on it, that doesn’t make it a Mozilla-endorsed publication.
As is normal for any domain I order from inside the EU.
Edit: And the open letters are all hosted on the https://www.mpi-sp.org/ domain. That doesn’t have to make it more credible, but at least that’s another institute.
As is normal for any domain I order from inside the EU.
It is for any I do as an individual. Corporate ones typically don’t redact this, to provide some accountability. Though I note that mozilla.org does redact theirs.
I’ve found this to be inconstantly administrated. For instance, I believe that it is Nominet (.uk) policy that domain registrant information may be redacted only for registrants acting as an individual. But registration information is redacted by default for all domain contact types at the registry level and there is no enforcement of the written policy.
EU citizens wanting to oppose the current eIDAS proposal can use my edit of the open letter to send to their Members of European Parliament: https://www.jeremiahlee.com/posts/2023-eu-eidas-feedback/
I know it’s probably something wrong with me but where can I find this proposed legislation (containing this sinister article 45) and read it? Also, if it is really true, I don’t understand how any country in Europe would agree to this. Will eg. Hungary be able to create a new certificate for riksdagen.se and browsers in the whole Europe will just accept it? Or is there any more detail to this story?
It looks as if this is another case of well-intentioned legislation being written by people with no understanding of the subject at hand and without proper consultation. I believe (judging from the analysis in the letters) the intent was to require that EU countries are able to host CAs that are trusted in browsers, without the browser vendors (which are all based outside the EU) being able to say ‘no, sorry, we won’t include your certificate’. Ensuring that EU citizens can get certificates signed without having to trust a company that is not bound by the GDPR (for example) is a laudable goal.
Unfortunately, the way that it’s written looks as if it has been drafted by various intelligence agencies and introduces fundamental weaknesses into the entire web infrastructure for EU citizens. It’s addressing a hypothetical problem in a way that introduces a real problem. I’m aware that any sufficiently advanced incompetence is indistinguishable from malice, but this looks like plain incompetence. Most politicians are able to understand the danger if US companies can act as gatekeepers for pieces of critical infrastructure. They’re not qualified to understand the security holes that their ‘solution’ introduces and view it as technical mumbo-jumbo.
As far as I am aware of, the real reason for this is to facilitate citizen access to public services using certificates that actually certify to citizens that they are in fact communicating with the supposed public organization.
EU would be served well by a PKI extension that would allow for CAs that can only vouch for a limited set of domains where the list of such domains is public and signed by a regular CA in a publicly auditable way.
Or even simpler, they could just define a standard of their own with an extra certificate for the regular certificate. Then they could contribute to browsers some extra code that loads a secondary certificate and validates it using a different chain when a site sends a
X-From-Government: /path/to/some.certheader and displays some nice green padlock with the agency name or something.Looking how misguided this legislation is, I’m not sure if these agencies are from any European country. This level of incompetence feels utterly disappointing. Politicians should be obliged to consult experts in a domain that given new legislation affects. I also don’t understand what’s so secret about it that justifies keeping it behind closed doors. Sounds like an antithesis of what EU should stand for. Perfect fuel for some people that tend to call EU 2nd USSR and similar nonsense like this.
It depends. Several EU countries have agencies that clearly separate the offensive and defensive parts and this is the kind of thing that an offensive agency might think is a good idea: it gives them a tool to weaken everyone.
This is tricky because it relies on politicians being able to identify domain experts and to differentiate between informed objective expert opinion and biases held by experts. A lot of lobbying evolved from this route. Once you have a mechanism by which politicians are encouraged to trust outside judgement, you have a mechanism that’s attractive for people trying to push an agenda. I think the only viable long-term option is electing more people who actually understand the issues that they’re legislating.
The EU has a weird relationship with scrutiny. They didn’t make MEPs voting records public until fairly recently, so there was no way of telling if your representative actually voted for or against your interests. I had MEPs refuse to tell me how they voted on issues I cared about (and if they’d lied, I wouldn’t have been able to tell) before they finally fixed this. I don’t know how anyone ever thought it was a good idea to have secret ballots in a parliamentary system.
This is the sort of thing that an unelected second chamber is better at handling. Here’s an excerpt from an interview with Julia King, who chairs the Select Committee on Science and Technology in the UK’s House of Lords:
That’s from an episode of The Life Scientific.
I don’t see how this could ever be viable given existing political structures. The range of issues that politicians have to vote on is vast, and there just aren’t people that exist that are simultaneous subject matter experts on all of them. If we voted in folks that had a deep understanding of technology, would they know how to vote on agriculture bills? Economics? Foreign policy?
You don’t need every representative to be an expert in all subjects, but you need the legislature to contain experts (or, at least, people that can recognise and properly interrogate experts) in all relevant fields.
I’m not sure if it’s still the case, but my previous MP, Julian Hubert, was the only MP in parliament with an advanced degree in a science subject and one of a very small number of MPs with even bachelors degrees in any STEM field. There were more people with Oxford PPE degrees than the total of STEM degrees. Of the ones with STEM degrees, the number that had used their degree in employment was lower. Chi Onwurah is one of a very small number of exceptions (the people of Newcastle are lucky to have her).
We definitely need some economists in government (though I’ve yet to see any evidence that people coming out of an Oxford PPE actually learn any economics. Or philosophy, for that matter), but if we have no one with a computer science or engineering background, they don’t even have the common vocabulary to understand what experts say. This was painfully obvious during the pandemic when the lack of any general scientific background, let alone on in medicine, caused huge problems in trying to convert scientific advice into policy decisions.
You currently cannot as per the first paragraph. The working documents are not public.
My reading comprehension clearly leaves a lot to be desired, my bad.
Because as with all legislation here, every person involved cannot understand the threat model. They believe that obviously this will only do good things, and don’t understand that different places have different ideas of what is “good”. They similarly don’t understand that the threat model includes people compromising the issuer, and don’t understand that given the power of their own CAs they will be extremely valuable, and also part of a section of all governments is generally underfunded.
Fundamentally they don’t understand how trust works, and why the CARB policies that exist, exist.
Considering how the EU works, this was probably proposed by a member government, and with how it’s going, many member governments probably support it.
I don’t know what’s in the proposed legislation, but the version of eIDAS that was published in 2014 already contains an Article 45 about certificates (link via digital-strategy.ec.europa.eu):
I suppose the proposed legislation makes this worse.
no date, no author, no reference. Looks fishy.
This is legitimately from Mozilla.
In future, if Mozilla is doing official things on domains unrelated to any existing project domain, it would be helpful to:
Doing this would mean that, in two clicks, readers can validate that this really is Mozilla-endorsed and not someone impersonating Mozilla. Training Mozilla users that anyone who copies and pastes the Mozilla logo is a trusted source is probably not great for security, in the long term.
There’s literally a date, references at the bottom, and it says Mozilla both at the top and bottom.
date acknowledged, but placing a mozilla logo is too easy faked.
IMO would be ok on their own domain. But not on a vanity domain.
[Comment removed by author]
I, too, question whether this page was really written by Mozilla, but I did confirm that Mozilla and other companies really do oppose Article 45 of eIDAS.
This Mozilla URL hosts a 3-page open letter against Article 45 of eIDAS: https://blog.mozilla.org/netpolicy/files/2023/11/eIDAS-Industry-Letter.pdf. It’s a completely different letter from the 18-page letter linked by this story, though both letters are dated 2 November 2023. This story references Mozilla’s letter as if it’s by someone else:
Some other parties published blog posts against eIDAS Article 45 today:
This convinced me https://techpolicy.social/@mnot/111339245119669445
There’s a very big Mozilla logo at the top.
And at the bottom, yet it’s not on a Mozilla domain, it doesn’t name any Mozilla folks as authors, and the domain it is hosted on has fully redacted WHOIS information and so could be registered to anyone. I can put up a web site with the Mozilla logo on it, that doesn’t make it a Mozilla-endorsed publication.
As is normal for any domain I order from inside the EU.
Edit: And the open letters are all hosted on the https://www.mpi-sp.org/ domain. That doesn’t have to make it more credible, but at least that’s another institute.
It is for any I do as an individual. Corporate ones typically don’t redact this, to provide some accountability. Though I note that mozilla.org does redact theirs.
Good to know. The company domains I dealt with all have this enabled. (Some providers don’t even give you the option to turn it off.)
I’ve found this to be inconstantly administrated. For instance, I believe that it is Nominet (.uk) policy that domain registrant information may be redacted only for registrants acting as an individual. But registration information is redacted by default for all domain contact types at the registry level and there is no enforcement of the written policy.
This is the link that was shared by Stephen Murdoch, who is one of the authors of the open letter: https://nce.mpi-sp.org/index.php/s/cG88cptFdaDNyRr
I’d trust his judgement on anything in this space.
With regards to various “this looks fake” conversations, just for fun I made an identical copy of the site at https://alopex.li/temp/dupe/last-chance-for-eidas.html. It took less than five minutes.
I salute whoever created the site on their simple and sensible design!