Talk:EIDAS

Latest comment: 1 month ago by کاربر نامناسب in topic Inaccurate introduction
edit

Prior content in this article duplicated one or more previously published sources. The material was copied from: http://www.cryptomathic.com/news-events/blog/understanding-the-major-terms-around-digital-signatures. Copied or closely paraphrased material has been rewritten or removed and must not be restored, unless it is duly released under a compatible license. (For more information, please see "using copyrighted works from others" if you are not the copyright holder of this material, or "donating copyrighted materials" if you are.)

For legal reasons, we cannot accept copyrighted text or images borrowed from other web sites or published material; such additions will be deleted. Contributors may use copyrighted publications as a source of information, and, if allowed under fair use, may copy sentences and phrases, provided they are included in quotation marks and referenced properly. The material may also be rewritten, providing it does not infringe on the copyright of the original or plagiarize from that source. Therefore, such paraphrased portions must provide their source. Please see our guideline on non-free text for how to properly implement limited quotations of copyrighted text. Wikipedia takes copyright violations very seriously, and persistent violators will be blocked from editing. While we appreciate contributions, we must require all contributors to understand and comply with these policies. Thank you. /wiae /tlk 18:01, 7 April 2016 (UTC)Reply

References

edit

A couple of days ago, some of the references in the eIDAS article where removed by an anonymous user with the justification that they were "SPAM". I strongly support the movement of keeping Wikipedia free of spam. However I had to undo the activity as it was not justified. Let me defend the notability of the authors quoted in the following. The first reference deleted as spam was by Jens Bender from Fraunhofer Institute, one of Germany's most renowned research institutes. The source was published on www.Bund.de, which is the public portal of Germany's Federal Administration. The source was critically evaluating opportunities and risks and helped to bring the article away from wiktionary kind of explanation towards an evaluating essay. Also Ashiq J.A. is known to many security experts. His tweets on #infosec have more than 800 followers (https://twitter.com/AshiqJA). Mr Ashiq is security evangelist within the U.A.E government and brought a valuable outside perspective. Then there were quotes by Mrs Dawn Turner. I like her posts and regularly quote her as she creates the bigger picture, sets into context and explains. Especially when talking about the intersection of information security and law, this helps a lot. Additional sources will help to enhance. But please avoid destructive steps that would harm the credibility of the article. Discussions in the talk section would be the most fruitful. I like those discussions like in the talk of the Beatles entry. They help sharpening and improving the article. And please do not work anonymously. ScienceGuard (talk) 08:07, 14 December 2016 (UTC)Reply

Data-Security and eIDAS

edit

Increasingly I follow discussions on the security of eIDAS. I.e. the risk that centralized trust-service-providers could be tempted to breach data security laws and misuse data as they have an overall insight into transactions, participating agents (nodes) their relationships (edges). Governments (or Espionage agencies and hackers) would get easy access to a network of relationships which can be maliciously exploited. I know that ETSI is continuously working on additional standards helping to secure the data and to better specify eIDAS. But I did not find any notable source so far that allows to discuss this in the article. Please contribute! ScienceGuard (talk) 08:13, 14 December 2016 (UTC)Reply

You were prescient. Seven years later, the EU is expanding the law to enable exactly that. There weren't reliable sources then, but there certainly are a lot clamoring about it now. DenverCoder19 (talk) 16:39, 4 November 2023 (UTC)Reply

eIDAS 1.0 and 2.0 separate

edit

Should the 1st and 2nd versions of the law be separate articles or single ones? DenverCoder9 (talk) 15:37, 4 November 2023 (UTC)Reply

Depends on finding good sources to see how if they described eIDAS2 being significantly different from eEIDAS1. The MITM attack makes it sound like eIDAS2 is completely different in the sense of being a massive privacy violation, while eIDAS1 enabled privacy protection by allowing people to avoid the risk of their handwritten signatures propagating to identity thives. In any case, the material is currently here, so building it up properly here based on good WP:RS and then proposing a WP:SPLIT later can't hurt. Boud (talk) 10:28, 30 September 2024 (UTC)Reply

Article 45

edit

A significant proportion of publications covering the law specifically examine Article 45, so I've put more weight to it, since this seems to be the most historically significant provision of the law. DenverCoder19 (talk) 16:21, 4 November 2023 (UTC)Reply

MITM Section inaccuracy

edit

The section "Man-in-the-middle attacks and mass surveillance" has a very negative tone. It also states various factually incorrect statements and fearmongering. I have problems with the following:

- The term "EU Government". This sounds like the EU as a organization will be able to read, decrypt and perhaps re-encrypt HTTPS traffic, when it is in fact the national government that would be able do that.

- The mentions about the EU being able to "hack into any internet-enabled device" is too extreme and unsubstantiated with the sources provided. While yes, internet traffic could theoretically be intercepted and decrypted, that alone wouldn't allow "the EU" to "hack any internet-enabled device".

For this I am marking this section as disputed. Creekie (talk) 10:41, 9 November 2023 (UTC)Reply

"Any EU government" refers unequivocally to any government in the EU. It's plural. This might be an American-European English split. In American English, "government" generally refers to the public sector as a whole, not the parliament or cabinet.
Yes, in fact it would allow any EU government to hack into the communications of any internet-enabled device. As long as a device is controlled by the internet, the packets can be intercepted and modified, as stated in the source. DenverCoder19 (talk) 01:23, 24 November 2023 (UTC)Reply
The purpose of Qualified Web Authentication Certificates (QWACs) is to enhance the security and transparency of the Internet as trusted services. QWACs do not restrict browsers own security policies, especially as Article 45 of the Identity Regulation leaves it up to them to maintain their own procedures and criteria in order to maintain and preserve the privacy of online communication using encryption and other proven methods.
The final version of the European Digital Identity Regulation has confirmed this fact. https://www.europarl.europa.eu/doceo/document/TA-9-2024-0117_EN.pdf
Recital 65 establishes that, for the purpose of enhancing online security for end-users, "providers of web browsers should, in exceptional circumstances, be able to take precautionary measures that are both necessary and proportionate in response to substantiated concerns regarding security breaches or the loss of integrity of an identified certificate or set of certificates."
Finally, the Commissions’ statement issued in the Parliament has made it clear that recognising QWACs does not impose obligations or restrictions on how web browsers establish encrypted connections with websites or authenticate the cryptographic keys. This stance does not impact browser security policies. (Statement by the Commission on Article 45 on the occasion of the adoption of Digital Identity Regulation).
QWACs enable website identification at a high level of assurance, attesting the link between the website domain name and the natural or legal person to whom the certificate is issued, and confirming the identity of that person. Providers of web-browsers should then display the certified identity data and the other attested attributes to the end-user in a user-friendly manner in the browser environment. 158.169.40.25 (talk) 09:07, 9 April 2024 (UTC)Reply
Just a warning to others: if it qwacs like the EC, and if it uses an EC IP, it might actually be an EC employee. See the next section or Wikipedia:Conflict of interest/Noticeboard#European Commision IP range for possible discussion on the wider issue of EC IP edits on Wikipedia. Boud (talk) 12:12, 30 September 2024 (UTC)Reply

MITM Qualification

edit

A user added "While the main language of that text..." If I'm reading this correctly, it suggests that web browsers will be able to detect a MITM. However, they will still be able to perform the MITM, which is what a wide range of organizations were concerned about.

Is there a third-party source that analyzes this assertion? The source appears to be a single organization and not a secondary source. DenverCoder19 (talk) 01:48, 2 December 2023 (UTC)Reply

QWAC issuers will have to undergo constant monitoring by their auditors in addition to annual audits, plus annual evaluation by an independent Conformity Assessment Body, as well as monitoring and approval by a national Supervisory Body. It is difficult to imagine how in this scenario the use of QWACS should facilitate an undetected MITM attack. Please refer to the detailed statement elaborated by the European Signature Dialogue to correct misinformation on the topic. (4) Post | LinkedIn 158.169.40.25 (talk) 09:08, 9 April 2024 (UTC)Reply
The suggestion that monitoring bodies will have the power to do anything is highly dubious speculation. After all, the European Commission, which you (158.169.40.25) appear to represent (see WP:COI for how to declare a paid or unpaid conflict of interest), is in violation of the European privacy protection law, as established by the European Data Protection Supervisor (EDPS), a regulatory agency of the European Union, and was given nine months to comply. Instead of complying, the EC and Microsoft have launched legal actions attacking the EDPS (exercise: find the sources).
There is no point providing a link to LinkedIn - that is a private link that many editors don't have access to, and it is a generally unreliable source. Boud (talk) 12:07, 30 September 2024 (UTC)Reply

Inaccurate introduction

edit

tl;dr eIDAS covers a variety of topics. The last paragraph of the intro about MITM and mass surveillance exclusively refers to QWAC and not other eIDAS features (judged by the references). So I propose moving it to the MITM section after addressing the following misunderstandings.

Misunderstanding of illegitimate certs and MITM

QWAC only regards Web communications, i.e., through a web browser: by mandating trust store maintainers (e.g., browsers) to accept trust anchors (root certificates) that might not comply to their rules, the browser is forced to trust any certificate signed by that trust anchor. So if an anchor (or any of its subordinate CAs) illegitimately issues a cert, e.g., for gmail.com (just as what happened during the DigiNotar hack), the browser would accept it and show the padlock. To actively abuse this issue and impersonate a service with a fake certificate, packets to the legitimate service have to be redirected to a server that actually deploys the fake certificate either through DNS spoofing or attacks such as BGP hijacking that can divert requests to the malicious server. So the claim that being able to issue certificates for any arbitrary domain name gives the power to intercept communication with servers under those names is plainly false. This, however, does not mean that that aforementioned attacks (e.g., by nation states) are infeasible.

Misunderstanding of communication over the Internet

The term "all internet messages" is vague. Messages over the Internet are transmitted over different protocols and are secured in different ways. Having a trust anchor in a browser trust store (as stated above), does not mean that it is going to be accepted as trustworthy in other settings. For example, the Signal App uses (or at least used to) a self-signed certificate and pin it directly in the source code, whereas the validation is independent of a trust store. The same goes for VPN communication where authentication is not necessarily through Web PKI certificates. کاربر نامناسب (talk) 22:15, 18 October 2024 (UTC)Reply