November 8, 2023 at 03:31AM
Lawmakers in Europe are set to approve digital identity rules known as eIDAS 2.0, which civil society groups argue will make the internet less secure and increase the risk of online surveillance. One of the requirements of the legislation is that browser makers must trust government-approved Certificate Authorities (CAs) and cannot implement additional security controls. This means that government-endorsed CAs could intercept and decrypt encrypted HTTPS traffic between websites and users. Mozilla and other organizations have expressed concerns about the legislation and are urging EU lawmakers to revise the legal language.
The meeting notes discuss the eIDAS (electronic IDentification, Authentication and trust Services) 2.0 legislation in Europe. This legislation aims to modernize and update the rules regarding digital identity and trust services. It covers various aspects such as electronic signatures, time stamps, registered delivery services, and website authentication certificates.
One of the concerns raised is that eIDAS 2.0 requires browser makers to trust government-approved Certificate Authorities (CA) and prohibits them from implementing additional security controls beyond those specified by the European Telecommunications Standards Institute (ETSI). This means that if a website is issued a certificate from a government-backed CA, the government could potentially intercept and decrypt the encrypted HTTPS traffic between the website and its users.
Mozilla, Google, and other browser makers have expressed their concerns about this legislation and its impact on security. They argue that it could potentially allow governments to abuse their power and issue certificates that facilitate interception of web traffic. They have urged EU lawmakers to revise the legal language and ensure suitable safeguards are in place.
The legislative text is currently being reviewed and will be subject to approval in closed-door meetings in Brussels on November 8th.