undefined | Better HN

0 pointsradicalbyte2y ago0 comments

The regulation should be changed such that the QWAC is only ever used to verify during an eIDAS transaction.

The most practical way to achieve that is to legislate for a new API in the browser and implement this in the application layer. That will take some time to implement, however eIDAS itself will also take some time to implement.

This would involve the browsers implementing a new eIDAS-only CA store within their browsers. Which is very easy to do as it's new and the API is regulated thus fixed.

The verification flow would work by exchanging attributes (i.e. browser sends crypto-random message to server, server signs it, browser verifies). It adds work to the audit of eIDAS solutions (implementers will f** it up en masse as most of the involved parties are hopelessly bad) but it's better than the alternatives.

0 comments

2 comments · 1 top-level

agwa2y ago· 1 in thread

The browsers in fact proposed an alternative that decoupled eIDAS's real-world-identity verification from TLS connection verification, but the EU rejected it.

supriyo-biswas2y ago

Could you please link to the document in question for reference?

j / k navigate · click thread line to collapse