Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."
That text is almost a year old. The recent trilogue negotiations added paragraph 45(2a) which is not public yet (hence the complaints about secrecy) but is alluded to in the open letter (https://eidas-open-letter.org):
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.
What they should do is to create an EU CA and all countries to have subordinate CAs. Then you only have to have one CA added to the browser list that ca be added/removed at will or only added when interacting with the government and then removed from the browser.
For non-tech people I am pretty sure someone could write a program that does this automatically - like two buttons, one saying you need to access the government and another that says you don't want to access the government anymore.
https://data.consilium.europa.eu/doc/document/ST-14959-2022-...
Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."