It's ultimately my decision which certificates I will trust. I can choose to trust just one certificate, and ignore the Mozilla root store, or I can use Mozilla's root store, and modify it. These are my decisions, not Mozzilla's.
So this proposed regulation mandates that my browser must support QWAC, and include TSP roots? Does that mean that browsers MUST deprive me of the ability to control my root store? Would I be in violation if I modified my (open-source) browser so that it was no longer in compliance?
Supposing I published my patch on a website outside the EU (e.g. in the UK)?
To be clear, I don't want a root cert from any entity that is effectively controlled by a government, to be trusted by my browser. Some governments bother me more than others, (for example) a Turkish government-controlled CA was caught forging certificates. There's still a Turkish CA in there, I see; Debian have seen fit to remove it.
It's all fine, the sky won't fall. As long as I can still decide who I trust.
This is all the initial recommendations says about browsers and certificates, there is nothing about preventing browsers from allowing the users to configure this, just to have them support it (and most of this is already supported by browsers, this is mostly just a recommendation to force all browsers to implement site security):
> To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty.
Edit: It also limits this to larger web browser providers in another part and only after 5 years. So people are free to run their own forks of browsers, so I doubt that it will be forbidden for browsers to just have a setting for specific sets of certs.
"It is just this" is something we hear very often when it is about user surveillance.
And then mandate sites use it for any age restricted content? Comes a year later. And everything against a backdrop that some EU members want encryption backdoors. Meanwhile we have safe e-commerce for years. No, thank you.
So this proposed regulation mandates that my browser must support QWAC, and include TSP roots? Does that mean that browsers MUST deprive me of the ability to control my root store? Would I be in violation if I modified my (open-source) browser so that it was no longer in compliance?
Supposing I published my patch on a website outside the EU (e.g. in the UK)?
To be clear, I don't want a root cert from any entity that is effectively controlled by a government, to be trusted by my browser. Some governments bother me more than others, (for example) a Turkish government-controlled CA was caught forging certificates. There's still a Turkish CA in there, I see; Debian have seen fit to remove it.
It's all fine, the sky won't fall. As long as I can still decide who I trust.