New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
The near-final text of the eIDAS (electronic identification, authentication, and trust services) will be presented to the public and parliament for a rubber stamp before the end of the year.
It enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.
This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
That we can ditch them with relative ease. Besides, Mozilla isn’t a company, it’s a non-profit. And the root CAs it includes aren’t all American. So there’s already better alternatives than this. I’m all for the EU creating alternatives. But if those are good they’ll be used without anyone having to be forced.