eIDAS articles 45 & 45a, and their impact on Vanadium security

dln949

First I must say, I barely understand the basics of this stuff.

I came across this article: https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-framework-eidas-another-kind-of-chat-control/ . It seems the EU wants to force browsers to accept EU governments as certificate authorities so that certificates issued by EU government agencies would be trusted by browsers.

The way I understand the ramifications of this, that would allow them, in conjunction with things like DNS spoofing, to "convince" a browser that a faked web site they created is legitimate, and thus the agency can observe the traffic.

1) What might the GrapheneOS developers do so that Vanadium can be protected against this?
2) I've read elsewhere that the idea is that this is to be limited to the EU. I don't understand that. For someone outside the EU, how can that person not be impacted by something like this?

Titan_M2

dln949 1) What might the GrapheneOS developers do so that Vanadium can be protected against this?

GrapheneOS can simply not include those certificates authorities. It has already removed problematic ones in the past.

I've read elsewhere that the idea is that this is to be limited to the EU. I don't understand that. For someone outside the EU, how can that person not be impacted by something like this?

It could only apply to people using browsers in EU.