The actual enforcement mechanism is the root store programs, i.e. the browsers ultimately decide. The CA/Browser forum is supposed to be a cooperative way for CAs and Browsers to agree technical standards but on the CA side this self regulation doesn't always work.

Perhaps the best "big name" distrusted CA would be Symantec: https://blog.mozilla.org/security/2018/03/12/distrust-symant...

Others include WoSign and StartCom.

The problem with eIDAS is that browsers can no longer police these CAs, as they are legally mandated to carry them. There needs to be a mechanism whereby such a CA can be distrusted, doubly so if it is issuing "qualified" certificates (if it cannot get the basics right it should not attest to someone's legal identity).

On the flip side to this there is nothing stopping Europe distributing additional roots that install themselves in browsers. I work in finance and we operate several closed CAs. Our clients install our CAs all the time. It just would not be on by default nor pop up the EV bit.

But that does not stop the digital wallet software (the motivation for this) peering into the certificate itself and making sure it is a qualified certificate.

> At the end of the day, what certs you trust is a personal decision. It's not a democracy; there is no need for an entire country to agree on which certificates are trusted and mandate that by law. Pick the ones who you trust, and your choice need not affect my choice. (Most of us delegate to browser vendors, OS vendors, or our employer, of course, but that is a choice. Don't like Apple's set of root certs? Delete the ones you don't trust, or use Firefox, or use Chrome.)

This isn't entirely true. Let's disregard for a moment the spy agency's wet dream that this law introduces (likely fully intentionally). The more benign intent of this law is to prevent foreign entities from the EU (Mozilla, Google, Apple) from having the final say on whether two kinds of EU organizations (site operators and root CA operators) can successfully reach their clients.

Of course you in your capacity as a consumer don't care whether I trust the same root CAs as I do. But a site operator very much cares whether all of their target audience trusts their site, and by extension the root CA that they are paying, and would like for their government to guarantee this trust.

The theoretical problem that this law is theoretically intended to protect from is browser vendors imposing hostile requirements on certificates which cost EU companies money and/or access to clients. It's a form of protectionism, ultimately.

Of course, the law is clearly being influenced by EU members' security agencies as well, who would love to have the ability to issue fake certificates for any site on the internet. With this new law, they would only need to infiltrate/coerce/fool their local root CA and local auditors, and they'd get free reign over encryption everywhere in the EU at least.

If this was truly about protectionism, they would mandate CA transparency reports. This is unilaterally a law written to spoof certs to websites EU spy agencies would love to get their hands on.

I don't even trust my own country's spy agencies to not spy on me without cause, how could I ever trust, say, Hungary's?

This over-shot may have the opposite effect though. I think the browser vendors will have more trouble limiting plugins that monitor certificates and perhaps build a p2p transparency report of sorts. Right now the default CA's include the federal post offices, etc, of all sorts of seedy countries.

Spinning Chrome off and keeping enough daylight between Google and the new entity to have any hope of it meaning anything legally-speaking, would likely require Google to stop pushing Chrome like a heavily-indebted crack dealer on all their other properties. They'd probably rather just ship the certs.

It's not only browsers though. The OS has a root store which is used by other non-browser apps. I also want my email program not to be susceptible to government MitM attacks. And whatever else I'm running. Apple and Windows could be compelled to limit the degree to which that store is mutable or even visible.

More and more it looks like Linux on the desktop is the only option.

I would assume coercing the OS providers (MS/Apple/Google) who do sell a system with a browser for money into shipping the backdoored browser would be enough of a win for them. Not a lot of people change their browser, even when it was stupid old Internet explorer...

If this was actually true, Chrome would not have anywhere near the market share it has.

I never said it was the majority, but if you look at the numbers there's a chunkable size of population that don't change (and it's been higher than the Mozilla market share for many years now), that number is getting bigger now that Edge is not immediately terrible anymore (I know several people who used Chrome and now stick to Edge). Plus we have a history of people keeping the default browser around just in case since gov websites were always optimized for weird setups like "Internet Explorer running Java applets".

I feel like "Edge only exists so I can download Chrome" is a meme that many, many people outside the software engineering field relate to. Go post it to Reddit, instant 100k upvotes every time ;)

> That means that if you're Apple or Google, you can spin off a company that has no presence in the EU and ship whatever root certificates you want, and it's not like you lose out on revenue.

If such a solution would work Microsoft would have done it in it's famous browser monopoly suit

I mean, isn't that the solution the government wanted? It was about bundling and interfering with other products the user had installed. An "arm's length" is all that they would have needed to do.