EU’s Digital Identity Framework Endangers Browser Security
The proposed amendment requires CAs in all major root stores that are nationally approved by EU member countries. The amendment has no assurance that these CAs must meet the root store’s security requirements, no listed mechanisms to challenge their inclusion, and no required transparency.
This setup could also tempt governments to try “Machine-in-the-Middle”(MITM) attacks on people. In August 2019, the government of Kazakhstan tried to require installation of a certificate to scan citizen traffic for “security threats.” Google Chrome, Mozilla Firefox, and Apple Safari blocked this certificate. They were able to take this stand because they run independent root stores with proper security controls. Under this new regulation, this would not be as easy to do.
To my knowledge, censorship circumvention relies on secure Free World protocols that undemocratic nations can’t afford to block as a disguise for Tor traffic. If this amendment passes, what will happen to censored Tor users if government MITM becomes a normal practice?