It is a digital certificate standard. Browser certificates is only a tiny part of it, that wasn't why it was made. Having a standard for digital certificates is a good thing, it makes it easy to switch document signer provider etc since they all are forced to implement the same interface.
I’ve read enough mozilla.dev.security.policy threads along the lines of “but we’re a qualified eIDAS CA (erm, TSP)! — but your audits, key management, and issuance controls are all crap! — but eIDAS!” that I feel that it might, in fact, be partly an attempt by CAs to ensure that they can’t be kicked out of browsers at the browsers’ discretion, or even have to obey CA/BF decisions. It certainly appeared that the fuss around QWACs got much louder as the EV UI downgrade progressed.
Maybe it wasn’t the original intention, but right now, even ignoring the surveillance angle, I feel that it would be a major downgrade to the post-Symantec state of the Web PKI. In particular, the process for getting a CA disqualified or inconvenienced in any other way seems to be so onerous as to be basically intractable, especially if you, the relying party, are not in the EU. As far as I can tell (but here I can be wrong), as a relying party you don’t even have standing to do anything about it—it’s considered to be solely the business of your country’s government, and if the government body doesn’t care (see: Facebook and the Irish DPA), tough, guess you’re a single-issue voter now.
Jensson|2 years ago
mananaysiempre|2 years ago
Maybe it wasn’t the original intention, but right now, even ignoring the surveillance angle, I feel that it would be a major downgrade to the post-Symantec state of the Web PKI. In particular, the process for getting a CA disqualified or inconvenienced in any other way seems to be so onerous as to be basically intractable, especially if you, the relying party, are not in the EU. As far as I can tell (but here I can be wrong), as a relying party you don’t even have standing to do anything about it—it’s considered to be solely the business of your country’s government, and if the government body doesn’t care (see: Facebook and the Irish DPA), tough, guess you’re a single-issue voter now.
johnfonesca|2 years ago
eIDAS was introduced in 2016. Now 7 years later there still isn't a API specification for interoperability (there are drawings though https://blog.eid.as/new-apis-for-the-eidas-ecosystem/ )
In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".
g-b-r|2 years ago