> irrespective of how clearly untrustworthy that company is.
Isn't that a bit of an exaggeration? Surely what the EU is proposing is that browsers have to accept just those companies which pay the necessary fee and which some EU body declares to be trustworthy.
You're right, though, that this still adds to the attack surface, because now you have to trust not just your browser vendor, and all the CAs that they trust, but also this EU body and all the CAs that they trust.
That EFF page is really weird - English text, but right-aligned, with question marks to the left of the text, as if the text had been translated from a RTL language (Farsi perhaps given the /fa/ in the link?)
From the looks of it the EU wants to push out a wide spread identity management system, which is fine.
It's unclear to me after a brief perusal why they can't use a normal root certificate, or create their own along a letsencrypt line (indeed that would be a great benefit having another widespread free ACME powered certificate authority, one funded by the taxpayer), with the same protections and transparency as LE.
>That EFF page is really weird - English text, but right-aligned, with question marks to the left of the text, as if the text had been translated from a RTL language (Farsi perhaps given the /fa/ in the link?)
It's just a Farsi link to an English article that's automatically applying RTL styling, the original version of the page in English looks fine.
> or any say over the member states' criminal legislation? That Commission?
One of the jobs of the commission is deciding whether member states are in line with their treaty obligations, that includes any laws passed by said member states.
> At least that is the only thing that keeps the EU Commission from going full police state.
Such an extraordinary claim.
Are you able to provide any evidence that supports your claim that at any time the EU Commission tried to go "full police state", and that courts kept that from happening?
Isn't that a bit of an exaggeration? Surely what the EU is proposing is that browsers have to accept just those companies which pay the necessary fee and which some EU body declares to be trustworthy.
You're right, though, that this still adds to the attack surface, because now you have to trust not just your browser vendor, and all the CAs that they trust, but also this EU body and all the CAs that they trust.
(For those who haven't been following, here's what the EFF has to say about it: https://www.eff.org/fa/deeplinks/2021/12/eus-digital-identit... )