Conversation
Notices
-
The outcry about #eIDAS is highly manipulative and very much resembles the infamous #ACTA2 campaign, where a number of US-based companies unrolled a fake "grassroots protest" against an EU regulation that was hurting their business but protected rights of EU citizens. Many people have fallen for it, so I will explain what's wrong with this claim:
> Under the eIDAS regulation, each member state of the EU (as well as recognised third party countries) is able to designate Qualified Trust Service Providers (Qualified TSPs) for the distribution of Qualified Website Authentication Certificates (QWACs). Outside the EU, these TSPs and QWACs are more typically known as Certificate Authorities (CAs) and TLS Certificates, respectively. Article 45 requires browsers to recognise these certificates.
I was for ~10 years doing consulting in the EU electronic signature sector so I was a bit surprised how eIDAS could be presented as a "threat for privacy", buy here we are. The electronic signature laws have been working in EU for the last 15 years and enabled plenty of modern solutions that millions of people in EU today use.
I understand that this may sound outrageous for those of US folks who believe paper checks are the ultimate achievement of humanity in the sphere of banking and queues at DMV were prescribed in the Bible. But in EU millions of people use electronic government services, electronic banking and even another entirely sinful invention - a single government "electronic identity document". Estonia, notably, made a whole e-residence program that works brilliantly based on the eID.
**All these solutions used by millions of people are powered by the qualified electronic signature, regulated by the eIDAS directive.** The level of legal and technical scrutiny governing the EU qualified signature is well beyond the Web Trust industry standard used for certification of websites. The EU QCAs have been extremely strictly regulated during their operations for the last decade, and most notably there's no laws that would allow them to circumvent the regulation for nefarious purposes nor precedents where they would have done it as result of negligence or some secret government pressure. The history of WebTrust, at the same time, is full of stupid mistakes or negligence that resulted in issuance of fake certificates - and this is understandable, because the level of technical scrutiny and legal liability of WebTrust CAs is order of magnitude lower than that of QCAs.
The only purpose of the article 45 is to integrate the QCA roots into the web environment, which currently operates in a parallel reality: I trust my eID-enabled web banking much more than I trust any website protected by ACME certificates, but to use it I need series of browser and operating system add-ons, specifically because my browser doesn't recognise eID certificates by default.