Talk:EIDAS

Copyright problem removed
Prior content in this duplicated one or more previously published sources. The material was copied from: http://www.cryptomathic.com/news-events/blog/understanding-the-major-terms-around-digital-signatures. Copied or closely paraphrased material has been rewritten or removed and must not be restored, unless it is duly released under a compatible license. (For more information, please see "using copyrighted works from others" if you are not the copyright holder of this material, or "donating copyrighted materials" if you are.)

For legal reasons, we cannot accept copyrighted text or images borrowed from other web sites or published material; such additions will be deleted. Contributors may use copyrighted publications as a source of information, and, if allowed under fair use, may copy sentences and phrases, provided they are included in quotation marks and referenced properly. The material may also be rewritten, providing it does not infringe on the copyright of the original or plagiarize from that source. Therefore, such paraphrased portions must provide their source. Please see our guideline on non-free text for how to properly implement limited quotations of copyrighted text. Wikipedia takes copyright violations very seriously, and persistent violators will be blocked from editing. While we appreciate contributions, we must require all contributors to understand and comply with these policies. Thank you. /wiae /tlk  18:01, 7 April 2016 (UTC)

Data-Security and eIDAS
Increasingly I follow discussions on the security of eIDAS. I.e. the risk that centralized trust-service-providers could be tempted to breach data security laws and misuse data as they have an overall insight into transactions, participating agents (nodes) their relationships (edges). Governments (or Espionage agencies and hackers) would get easy access to a network of relationships which can be maliciously exploited. I know that ETSI is continuously working on additional standards helping to secure the data and to better specify eIDAS. But I did not find any notable source so far that allows to discuss this in the article. Please contribute! ScienceGuard (talk) 08:13, 14 December 2016 (UTC)


 * You were prescient. Seven years later, the EU is expanding the law to enable exactly that. There weren't reliable sources then, but there certainly are a lot clamoring about it now. DenverCoder19 (talk) 16:39, 4 November 2023 (UTC)

eIDAS 1.0 and 2.0 separate
Should the 1st and 2nd versions of the law be separate articles or single ones? DenverCoder9 (talk) 15:37, 4 November 2023 (UTC)

Article 45
A significant proportion of publications covering the law specifically examine Article 45, so I've put more weight to it, since this seems to be the most historically significant provision of the law. DenverCoder19 (talk) 16:21, 4 November 2023 (UTC)

MITM Section inaccuracy
The section "Man-in-the-middle attacks and mass surveillance" has a very negative tone. It also states various factually incorrect statements and fearmongering. I have problems with the following:

- The term "EU Government". This sounds like the EU as a organization will be able to read, decrypt and perhaps re-encrypt HTTPS traffic, when it is in fact the national government that would be able do that.

- The mentions about the EU being able to "hack into any internet-enabled device" is too extreme and unsubstantiated with the sources provided. While yes, internet traffic could theoretically be intercepted and decrypted, that alone wouldn't allow "the EU" to "hack any internet-enabled device".

For this I am marking this section as disputed. Creekie (talk) 10:41, 9 November 2023 (UTC)


 * "Any EU government" refers unequivocally to any government in the EU. It's plural. This might be an American-European English split. In American English, "government" generally refers to the public sector as a whole, not the parliament or cabinet.
 * Yes, in fact it would allow any EU government to hack into the communications of any internet-enabled device. As long as a device is controlled by the internet, the packets can be intercepted and modified, as stated in the source. DenverCoder19 (talk) 01:23, 24 November 2023 (UTC)
 * The purpose of Qualified Web Authentication Certificates (QWACs) is to enhance the security and transparency of the Internet as trusted services. QWACs do not restrict browsers own security policies, especially as Article 45 of the Identity Regulation leaves it up to them to maintain their own procedures and criteria in order to maintain and preserve the privacy of online communication using encryption and other proven methods.
 * The final version of the European Digital Identity Regulation has confirmed this fact. https://www.europarl.europa.eu/doceo/document/TA-9-2024-0117_EN.pdf
 * Recital 65 establishes that, for the purpose of enhancing online security for end-users, "providers of web browsers should, in exceptional circumstances, be able to take precautionary measures that are both necessary and proportionate in response to substantiated concerns regarding security breaches or the loss of integrity of an identified certificate or set of certificates."
 * Finally, the Commissions’ statement issued in the Parliament has made it clear that recognising QWACs does not impose obligations or restrictions on how web browsers establish encrypted connections with websites or authenticate the cryptographic keys. This stance does not impact browser security policies. (Statement by the Commission on Article 45 on the occasion of the adoption of Digital Identity Regulation).
 * QWACs enable website identification at a high level of assurance, attesting the link between the website domain name and the natural or legal person to whom the certificate is issued, and confirming the identity of that person. Providers of web-browsers should then display the certified identity data and the other attested attributes to the end-user in a user-friendly manner in the browser environment. 158.169.40.25 (talk) 09:07, 9 April 2024 (UTC)

MITM Qualification
A user added "While the main language of that text..." If I'm reading this correctly, it suggests that web browsers will be able to detect a MITM. However, they will still be able to perform the MITM, which is what a wide range of organizations were concerned about.

Is there a third-party source that analyzes this assertion? The source appears to be a single organization and not a secondary source. DenverCoder19 (talk) 01:48, 2 December 2023 (UTC)


 * QWAC issuers will have to undergo constant monitoring by their auditors in addition to annual audits, plus annual evaluation by an independent Conformity Assessment Body, as well as monitoring and approval by a national Supervisory Body. It is difficult to imagine how in this scenario the use of QWACS should facilitate an undetected MITM attack. Please refer to the detailed statement elaborated by the European Signature Dialogue to correct misinformation on the topic. (4) Post | LinkedIn 158.169.40.25 (talk) 09:08, 9 April 2024 (UTC)