David Huberman wrote on 15/11/2021 21:31:
I guess I'm not grokking why you think this kind of regulation would have no legal basis when regulators are proposing something very similar in eIDAS article 45 (all web browsers must accept CAs which we the regulators approve) and in NIS2 for root server operators with more than 10 instances. The concept of Trusted Service Providers in EU regulations already exists and is already quite powerful. Mandating specific CAs in a browser - although a remarkably stupid thing to do, if that's what's being discussed, and it's not clear from eIDAS art. 45 that this is necessary within the terms of that regulation - is not the same as hijacking dns resolution services. There's a gap between the two and it's not that small either.
Separately, NISD2 is not yet finalised, nor is it being mandated by regulators: it's being written by lawmakers, who have taken root servers out of scope of the directive. In relation to trust service providers, the requirements here relate mostly to process management and providing a legal framework in which TSPs can operate consistently across multiple countries. You can't really operate a society which depends on electronic trust mechanisms without having a legal framework for this. Nick