Europe: “eIDAS legislation will not pose a problem for data protection and security”

The European Commission has finalized the legal framework for European digital identity. She categorically denies that it is possible to spy on citizens, but experts consider this absurd.

There is a catch in the detail of the legal text. Last week, more than 300 experts (now more than 500 researchers), including Belgian cryptographer Bart Preneel, wrote an open letter warning that Article 45 of that text could legally allow a government to spy on citizens using their own certificates. This is because they are not monitored through a standard process and cannot even be revoked if they are misused.

The European Commission gave a press conference on the eIDAS legislation on Thursday and stressed that in its view there was no problem. Consequently, Article 45 in question has not been amended. “There is no need for adjustment, but we would like to clarify that there are misunderstandings on this issue,” a Commission spokesperson told Data News.

Europe: “Difference between identification and encryption”

The Commission says that the QWACS (Qualified Website Authentication Certificate) can identify users and websites, but that the regulation specifically refers to the identification of a website: to check whether a government or service website is in fact the real website, without any other purpose (e.g. encryption of data traffic between the user and the service and thus possible interception).

Europe has heard the criticism and insists it is unjustified. “We read the comments and discussed them with our experts last week. This leads us to conclude that the criticism is unfounded. There is no risk of government spying or breach of (encrypted) communications, and we want to say that loud and clear. This also applies to certificates that have been around for years and have never posed a problem.

Experts: “Absurd”

However, this explanation was immediately refuted. Professor Bart Preneel (KU Leuven), a global authority in the field of encryption, is categorical on this: “The idea that identity and public key can be separated in a certificate is currently absolutely wrong.” And to add a nuance: It is possible to review the standards to make this possible. However, this is currently not the case and seems unlikely.

Preneel says that with TLS (Transport Layer Security, the encryption protocol used today), the identity is tied to a public key. Based on this key, a user’s session is encrypted. “However, if the QWACS certificate contains the wrong key, it gives the browser user the impression that they are on the correct website and that all the information is encrypted, but with a key that is known to the government, allowing the government to intercept it and can intercept.’Read all communications.’

However, Preneel believes that some parts are still being adjusted to weaken the interpretation so that browsers can continue to ignore certain certificates or certain information contained therein. However, he doesn’t know if this will have much impact on the ability to abuse the system.

Mozilla: “A missed opportunity”

Mozilla, the non-profit organization behind Firefox, is also critical. “More could have been done to improve the text,” says Tasos Stampelos, EU Public Policy & Government Relations Lead at Mozilla. “The recitals (the accompanying text intended to frame the interpretation of the legal text, editor’s note) have been adjusted and we are seeing improvements. However, this is not the case with the text of the law itself. “We continue to note that there are no additional security requirements and that ETSI standards should not be followed (see editor’s note below).”

“The Commission claims that this is a misunderstanding, but this was not clarified in the legal text and therefore nothing was clarified.” Mozilla emphasizes independently of Bart Preneel that when it comes to certificates, there is no separation between identifying a website and encrypting data traffic give.

Limited safety standards: a need for harmonization

Another criticism is that the control of these compounds may not be the best available. In short: there are standards for this, but they are set by ETSI (the European Telecommunications Standards Institute). Experts fear this could be an obstacle for member states wanting to introduce better security measures. Here Europe provides the nuance that a compromise is necessary for interoperability.

“By that we mean there are no additional requirements other than those we include in the rules. It is normal that if we want to standardize, we should avoid each party having different rules. It must work. “The text does not say that no one has the authority to monitor security,” the commission said.

Finally, it also appears that browsers remain free when it comes to their security measures. The claim that EU rules would restrict this by forcing browsers to automatically accept certificates from member states is not fair, according to the European Commission: “We don’t want that either, and we emphasize that clearly.”

Preneel calls Europe’s communication an attempt to sow confusion: “She read the open letter and ignores it.” She deliberately complicates things, but her certification and key thing is nonsense.” He also emphasizes that the interception of Internet traffic through Authorities are not a fantasy: “Countries like France and India have already been caught red-handed, and the CIA and some private companies have already done it.”

More control possible, but not allowed

According to Preneel, it is also a myth that ETSI does not allow additional security for harmonization purposes: “There must be a minimum of requirements, but it is quite possible that an organization or government will raise the bar.” Especially for this type of interception Google has the ability to create a public list to control fake certificates and thus deter attackers through greater transparency. But if ETSI doesn’t allow it, there’s nothing an organization can do.”

Mozilla considers this to be a future security risk. Stampelos: “New technologies will emerge that threaten security.” When they emerge, we cannot simply improve this system. It’s like with today’s technology: if there’s a lack of customization options, that’s a problem. It’s not flexible and certainly not future-proof.”

Preneel also does not expect ETSI to adhere to these very high standards. The organization consists of telecommunications companies, which in turn rely on governments for their licenses. Preneel: “In fact, they are in the government’s pocket, they will obey whatever is imposed on them.”

sudden porn ipornmovs.mobi tamil school sex videos
indian aunty x vedio stripmpegs.net neha nair nude
enema nhentai hentaifile.com nier atomata hentai
saxe store hindi bullporn.mobi sex mms site
www indianxvedios pornorolik.org gaysporn
jubaida flyporn.me auntsex
goo hentai hentaitgp.org pet transformation hentai
sex vedeos faphub.mobi shruti hassan porn video
xxxx videos indian indianpornfree.com telugu movies in torrentz2
xxx sex films indianauntyporn.net anu aggarwal nude
نيك اكس موفز gekso.mobi arab nar.com
oneesan hentai real-hentai.org haruhi hentai
www tamil six movie com gangstaporno.com xvi porn videos
hero hentai manga hosthentai.com hentai mom comics
قصص سكس اغتصاب محارم yourtubetop.com قصص نيك حموات