This doesn’t restrict TLS, a protocol, it restricts the implementations of TLS by the handful of companies who develop and distribute widely-used web browsers - which are mostly US-headquartered multinationals.
Mandating trusted CAs opens the door to fucking with the communication in progress. Ie undermining TLS whose job it is to protect that communication. Spinning this as an attack on the companies making the browser is a bit too creative for me. That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.
Currently browser vendors are able to make their own decisions about which CAs to trust, and how to validate certificates. Most browsers trust a lot of nation states’ CAs, but they (the browser vendors) are currently free to unilaterally stop trusting them when they learn of abuses.
That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.
That’s categorically false, they want to inject their own trusted certificates into browsers that’re distributed in the EU, so that any MITM traffic will “just function”. Basically they’re forcing a backdoor for every encrypted channel.
Furthermore they want to make certificate transparency next-to-illegal; remove protections and warnings for when someone is requesting certificates for your domain when you haven’t requested them, plus other uses.
I’m not sure what part of my comment you’re saying is categorically false? I agree with your assessment of eIDAS! I even made a meme about it.
I guess you’re disagreeing with me saying this restricts companies’ implementations of TLS rather than TLS itself? I’m saying that because the law is specifically talking about web browsers, and doesn’t appear to apply to other uses of TLS.
TLS is a US company now?
This doesn’t restrict TLS, a protocol, it restricts the implementations of TLS by the handful of companies who develop and distribute widely-used web browsers - which are mostly US-headquartered multinationals.
Mandating trusted CAs opens the door to fucking with the communication in progress. Ie undermining TLS whose job it is to protect that communication. Spinning this as an attack on the companies making the browser is a bit too creative for me. That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.
Currently browser vendors are able to make their own decisions about which CAs to trust, and how to validate certificates. Most browsers trust a lot of nation states’ CAs, but they (the browser vendors) are currently free to unilaterally stop trusting them when they learn of abuses.
Often it is both. Remember MUSCULAR?
That’s categorically false, they want to inject their own trusted certificates into browsers that’re distributed in the EU, so that any MITM traffic will “just function”. Basically they’re forcing a backdoor for every encrypted channel.
Furthermore they want to make certificate transparency next-to-illegal; remove protections and warnings for when someone is requesting certificates for your domain when you haven’t requested them, plus other uses.
I’m not sure what part of my comment you’re saying is categorically false? I agree with your assessment of eIDAS! I even made a meme about it.
I guess you’re disagreeing with me saying this restricts companies’ implementations of TLS rather than TLS itself? I’m saying that because the law is specifically talking about web browsers, and doesn’t appear to apply to other uses of TLS.