For anyone who’s about to say that surveillance isn’t the point of this legislation: it definitely is; we very recently saw Germany trying to MITM jabber.ru users[1], having a CA that can be asked to issue any certificate is definitely something that’d be used for surveillance purposes.
eIDAS exists since there are many conflicting standards for electronic certificates. eIDAS is an effort to unify those standards. Maybe the clause where they say browsers has to add specific CA's is for spying, but eIDAS in general isn't to help spying its just there to help unify all the different electronic certificate services in EU.
For example banking, signing official documents like grades from school etc, all of those usecases are a part of eIDAS. That is the core of the standard and there you really want to see all the certificate information to be sure it is the right origin, since unlike browsers there is no list of trusted CAs, you just see that some organization accepted it.
Edit: Browsers already had their own standard that they think is better than eIDAS, so they don't want this to apply to them. But Occam's razor says that EU just added "and browsers should also do this" instead of there being some conspiracy behind it, it was simple to just add everything instead of leaving just browsers out.
> eIDAS exists since there are many conflicting standards for electronic certificates. eIDAS is an effort to unify those standards.
Did we need laws to "unify" all the standards we successfully use today, like IP, UDP, TCP, HTTP, TLS, Certificate Transparency, HTML, ECMAScript, CSS, DNS, DMARC, DKIM, SSH, etc.? Laws are not the right tool for this. And law makers don't have the necessary expertise.
> Browsers already had their own standard that they think is better than eIDAS
Unlike the Browser/CA forum
rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
> "and browsers should also do this" instead of there being some conspiracy behind it
The law isn’t RFC 2119 where there is a distinction between SHOULD and MUST: the law is all about what an entity MUST do, so bringing up “should” in this context isn’t helping the point you’re typing to make.
> since unlike browsers there is no list of trusted CAs,
This Trusted CA is such a lie. I mean we all know that Google, MS etc does ugly things with user data but apparently we have no objection to trust them with cryptography.
A proper solution for MitM is mandatory independent certificate transparency, not outright denial of national CAs support in browsers. A German National CA should not be able to issue certificates for .ru in the first place and having a clear record of misbehavior in CT is probably not something operators of such CA would like to have even when pressured by intelligence agencies.
Browsers should get their shit together and add proper support of domain-limited CAs and add optional whitelisting of CAs for given websites.
> Browsers should get their shit together and add proper support of domain-limited CAs
They do in fact support this - e.g. Mozilla trusts KamuSM only for .tr [1], Chrome limited ANSSI to French TLDs [2].
However, there is no indication that the EU would be willing to accept such constraints on their national CAs. If you look at several of the current national European CAs, they routinely issue for generic TLDs like .com.
Browsers do have this, although this measure is only selectively applied for certain CAs where misissuance has been an issue (There was a Indian CA for which this was used, need to look around MDSP for the link. I’ll post it shortly.)
But it doesn't enable covert surveillance. Even without Certificate Transparency, the change in server certificate is visible to the client. Initiatives like Let's Encrypt could make it visible to server operators, too. The browser UI will present those new qualified certificates and existing certificates differently anyway, so I'm not sure if this is going to work.
The bigger issue is that for this in order to work at all, the regulation must have provisions for issuing fake assertions of existing identities to law enforcement and other security services. The predecessor didn't seem to have that. This is different from providing fake identification documents for undercover operations because as far as I understand it, those use are usually mostly made-up and do not impersonate another person.
We would have to read the actual text of the proposed regulation to know the details, but both sides (legislators and those fueling the outrage machine) do not really want us to form our own opinion and hide the draft text from us.
Unfortunately this isn't how it works in practice.
Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings.
Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs!
The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!".
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
Very concerning. As a slight aside though, it is not a "secret law". All EU laws are published on its website in every official language, and the vast majority of laws (including this one) must be publicly ratified by the directly elected European Parliament before coming effective.
They should tone down this kind of sensationalist clickbait that I would expect to find in UK tabloids. They probably think it helps them impress the urgency of the matter on the public but frankly it just makes me doubt the veracity of the claims made in the article (though in this case I trust Mozilla and would hope that they are not misrepresenting the content of the law itself).
> and will be presented to the public and parliament for a rubber stamp before the end of the year
That's not how the EU parliament works, they're not just a rubber stamp. The topic is sufficiently grave without the need for clickbait and painfully obvious exaggerations.
As I understand it, the EU Parliament engages through the trilogues. Once agreement has been reached there, final approval is indeed more of a rubberstamp. (But: I'm just somewhat interested in the subject; I'm not an expert on the process.)
I don't think "classified" is the right word, but they haven't been published. They were leaked to various third parties, who got them to Mozilla / EFF / the other folks writing letters of protest today. Those parties haven't published the full text themselves, to protect the identity of the leaker.
So what happens to open source browsers? Will they be forced to implement it? Are the governments going to audit the code to make sure no one is releasing a version that has removed the government certs or are they going to outlaw open source browsers?
Again, this is not going to catch anyone with half a braincell that is trying to do something. This is just going to catch everyone else.
I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblockers etc. making it so you can't navigate the web if you are using a uncertified browser.
> I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblocker
Very likely, yes. Also note that a similar client-side CSAM scanning feature was rolled out by Apple with a similar anticipation, and shortly after we saw the proposal of Chatcontrol and the like.
If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.
For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA
The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they:
1. have ability to capture IP traffic (requires cooperation with ISP)
2. have ability to generate rogue certificate via cooperation with CA
> 2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.
Thats reassuring but, not knowing much about this, I have a couple of questions:
1. Is this proactively monitored for? And how? And by whom?
2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
It's not like Beijing CA can issue a rogue certifcate and suddenly a malicious actor would be able to decrypt all your internet traffic. You would have to connect to a service that uses those certificates in the first place.
An interesting experiment would be to log all certificates used by the sites you normally use, say for a month, and then look at the list for anything shady. I have no ideia if an extension exists that would allow such and experiment, but the resulting list would be much more useful.
No, that's not needed at all. If the malicious actor can man-in-the-middle traffic to victimsite.com (say using a BGP hijack), they can serve HTTPS traffic to the end user from their MITM server, secured with a certificate issued to "victimsite.com" that is issued by their own CA, and the MITM can then in turn communicate to the real victimsite.com using HTTPS secured by the real site's certificate, signed by its own CA.
Now, there are CAA DNS records, which serve the purpose of restricting the CAs that can sign a particular domain, which would of course be ignored by the malicious actor, but _could_ be checked by the end user's browser. But to the best of my knowledge, no browser does that.
In the case of mainland China, it’s easy for the Party 1) issue a malicious certificate and 2) redirect your Internet traffic to MITM box. They do 2) for all the time when blackholing Internet traffic.
With certificate logs there is a chance, I don’t know how high, to catch 1).
You lose nothing, gain nothing. It's hard for china to reroute your traffic, and even if they did, what can they do to you after that?
It's your own government that can actually do something bad to you.
(unless you're doing some really really nasty stuff, and china wants to eliminate you for those reasons, and is willing to create a large international incident because of that).
I think this is a matter of assumption. For communication through mainland China, one should assume that all internet traffic is actively surveilled with probably way easier methods than CAs. On the other hand, this assumption is definitely not as true in the EU, nor do I think the Chinese government forces Firefox to trust CAs by law (talking about irony)….
The browser/CA forum’s requirement to log all issuances into the CT log takes care of this; the EU mandate hardly has such requirements while still mandating the inclusion of root certs. The approach of the browser/CA forum vs EIDAS cannot be equated for this reason.
Just adding a perspective (not necessarily mine, I'm still on the fence) supporting this legislation from a tech-literate person in the EU.
The digital administration in my country has made my life so much easier. We all have mandatory ID cards since decades ago, but now they have a chip with some certs for auth, signing, etc. I can check my taxes, fill government forms, see any traffic tickets, sign official documents from my home thanks to this. However, as far as I understand, this relies on my user agent accepting some particular CAs. This is critical, to the point of my browser preventing me access to some parts of the administration if the CA is not up to date or recognised or whatever.
What this legislation proposes, if I understand it correctly, is putting in the hands of the government the power to administer (part of) this CA infrastructure. As with many EU-related legislation, this forcefully transfers power from private (often American) entities to EU governments. I guess when trust in your government is higher or equal to trust on private firms, this doesn't sound so bad.
Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.
You should read the letter, it's worse than that. It makes these gov CA's unrejectable, along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.
They could have reduced scope, but looking at effects perhaps that's not what they actual want.
along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.
This one though, not quite. Can you explain in layman terms, maybe by means of a practical example, how this would work exactly and what is needed for it?
> Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.
I'm with you. I think most of the fuzz is about forcefully involving government into the CA infrastructure and the fact that this affects rest of the world.
As to the latter, I've always found it weird that by default all root stores contain hundreds of CAs from over the world. By default, anyone is assumed to trust large companies (Google, Amazon) equally as nation states (Staat der Nerderlanden) shady entities (Hongkong Post office). So it's not surprising to have everyone up in arms if the EU adds yet another chair to this table.
Wouldn't it make much more sense if users took more control and responsibility of the certs in their root store? Wouldn't it make more sense to restrict CAs to certain domains? I would be okay with a EU sanctioned CA if it could only assert authenticity of EU services, but not shops or whitehouse.gov. I've always felt that it would make much more sense if CAs were much more restricted to specific "trust use cases".
This isn't adding a few CAs s your browser trusts the tax website. This appears to be replacing all of them so the eu can see the contents of all traffic that is proxied in and out of the country. None of that seems likely to work for actual bad people.
- for a CA that is business (or a non-profit), trust is their product, and if Let's Encrypt fails at it's job then clients can go elsewhere
- not sure but in EU I would assume they are going to install all member states' CA certificates into all browsers, so then EU member state government A can MITM a connection for a citizen of member state B
- even if a website has a certificate from any current provider, any EU government can still MITM a user without the company knowing
Also, as it's technically possible to combat the legislation then how much would it actually help, wouldn't any "criminal" pay attention to it too, e.g by using an appropriate browser?
Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."
That text is almost a year old. The recent trilogue negotiations added paragraph 45(2a) which is not public yet (hence the complaints about secrecy) but is alluded to in the open letter (https://eidas-open-letter.org):
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.
What they should do is to create an EU CA and all countries to have subordinate CAs. Then you only have to have one CA added to the browser list that ca be added/removed at will or only added when interacting with the government and then removed from the browser.
For non-tech people I am pretty sure someone could write a program that does this automatically - like two buttons, one saying you need to access the government and another that says you don't want to access the government anymore.
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust.
If it's mandated, it isn't trust. It's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
My only question is whether they truly don't understand this, do understand it but don't care, or are actively interested in destroying that trust.
Readit News
[1] https://notes.valdikss.org.ru/jabber.ru-mitm/
For example banking, signing official documents like grades from school etc, all of those usecases are a part of eIDAS. That is the core of the standard and there you really want to see all the certificate information to be sure it is the right origin, since unlike browsers there is no list of trusted CAs, you just see that some organization accepted it.
Edit: Browsers already had their own standard that they think is better than eIDAS, so they don't want this to apply to them. But Occam's razor says that EU just added "and browsers should also do this" instead of there being some conspiracy behind it, it was simple to just add everything instead of leaving just browsers out.
Did we need laws to "unify" all the standards we successfully use today, like IP, UDP, TCP, HTTP, TLS, Certificate Transparency, HTML, ECMAScript, CSS, DNS, DMARC, DKIM, SSH, etc.? Laws are not the right tool for this. And law makers don't have the necessary expertise.
Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
> "and browsers should also do this" instead of there being some conspiracy behind it
The law isn’t RFC 2119 where there is a distinction between SHOULD and MUST: the law is all about what an entity MUST do, so bringing up “should” in this context isn’t helping the point you’re typing to make.
I have no Earthly idea why a) this needs to be done digitally, or b) for the EU to be involved (at EU level) with this.
Unfortunately if you pitch mission creep vs the principle of subsidiarity, the former wins every time.
This Trusted CA is such a lie. I mean we all know that Google, MS etc does ugly things with user data but apparently we have no objection to trust them with cryptography.
Browsers should get their shit together and add proper support of domain-limited CAs and add optional whitelisting of CAs for given websites.
They do in fact support this - e.g. Mozilla trusts KamuSM only for .tr [1], Chrome limited ANSSI to French TLDs [2].
However, there is no indication that the EU would be willing to accept such constraints on their national CAs. If you look at several of the current national European CAs, they routinely issue for generic TLDs like .com.
[1] https://groups.google.com/a/mozilla.org/g/dev-security-polic...
[2] https://security.googleblog.com/2013/12/further-improving-di...
The bigger issue is that for this in order to work at all, the regulation must have provisions for issuing fake assertions of existing identities to law enforcement and other security services. The predecessor didn't seem to have that. This is different from providing fake identification documents for undercover operations because as far as I understand it, those use are usually mostly made-up and do not impersonate another person.
We would have to read the actual text of the proposed regulation to know the details, but both sides (legislators and those fueling the outrage machine) do not really want us to form our own opinion and hide the draft text from us.
Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings.
Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs!
The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!".
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-fr...
https://alecmuffett.com/article/108139
(via https://news.ycombinator.com/item?id=38109581 and https://news.ycombinator.com/item?id=38109731 respectively, but we merged the comments hither)
They should tone down this kind of sensationalist clickbait that I would expect to find in UK tabloids. They probably think it helps them impress the urgency of the matter on the public but frankly it just makes me doubt the veracity of the claims made in the article (though in this case I trust Mozilla and would hope that they are not misrepresenting the content of the law itself).
> and will be presented to the public and parliament for a rubber stamp before the end of the year
That's not how the EU parliament works, they're not just a rubber stamp. The topic is sufficiently grave without the need for clickbait and painfully obvious exaggerations.
I’ve watched many of their YouTube presentations.. all with less than 100 views when I watched them, despite them being uploaded for some time.
Again, this is not going to catch anyone with half a braincell that is trying to do something. This is just going to catch everyone else.
I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblockers etc. making it so you can't navigate the web if you are using a uncertified browser.
Very likely, yes. Also note that a similar client-side CSAM scanning feature was rolled out by Apple with a similar anticipation, and shortly after we saw the proposal of Chatcontrol and the like.
> So what happens to open source browsers?
See my other comment on the same thread[1].
[1] https://news.ycombinator.com/item?id=38110667
For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA
The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA
1. Major browsers (Chrome, Safari, Edge) only accept certificates which are published in Certificate Transparency logs.
2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.
So it's not really viable to use the existing CA system for MitM attacks.
The eIDAS proposal would:
1. Prevent browsers from distrusting CAs which are used in MitM attacks.
2. Ban mandatory checks (such as Certificate Transparency) on certificates unless the EU agrees to them.
That creates a system that is very viable for government MitM attacks.
Thats reassuring but, not knowing much about this, I have a couple of questions:
1. Is this proactively monitored for? And how? And by whom?
2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
An interesting experiment would be to log all certificates used by the sites you normally use, say for a month, and then look at the list for anything shady. I have no ideia if an extension exists that would allow such and experiment, but the resulting list would be much more useful.
Now, there are CAA DNS records, which serve the purpose of restricting the CAs that can sign a particular domain, which would of course be ignored by the malicious actor, but _could_ be checked by the end user's browser. But to the best of my knowledge, no browser does that.
With certificate logs there is a chance, I don’t know how high, to catch 1).
For someone living in the West, what are the consequences of deleting or distrusting those CAs?
It's your own government that can actually do something bad to you.
(unless you're doing some really really nasty stuff, and china wants to eliminate you for those reasons, and is willing to create a large international incident because of that).
If you run into some websites which use them the browser will tell you that the certificate is invalid; you can always reinstall them if you prefer.
The digital administration in my country has made my life so much easier. We all have mandatory ID cards since decades ago, but now they have a chip with some certs for auth, signing, etc. I can check my taxes, fill government forms, see any traffic tickets, sign official documents from my home thanks to this. However, as far as I understand, this relies on my user agent accepting some particular CAs. This is critical, to the point of my browser preventing me access to some parts of the administration if the CA is not up to date or recognised or whatever.
What this legislation proposes, if I understand it correctly, is putting in the hands of the government the power to administer (part of) this CA infrastructure. As with many EU-related legislation, this forcefully transfers power from private (often American) entities to EU governments. I guess when trust in your government is higher or equal to trust on private firms, this doesn't sound so bad.
Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.
They could have reduced scope, but looking at effects perhaps that's not what they actual want.
That part I understood
along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.
This one though, not quite. Can you explain in layman terms, maybe by means of a practical example, how this would work exactly and what is needed for it?
I'm with you. I think most of the fuzz is about forcefully involving government into the CA infrastructure and the fact that this affects rest of the world.
As to the latter, I've always found it weird that by default all root stores contain hundreds of CAs from over the world. By default, anyone is assumed to trust large companies (Google, Amazon) equally as nation states (Staat der Nerderlanden) shady entities (Hongkong Post office). So it's not surprising to have everyone up in arms if the EU adds yet another chair to this table.
Wouldn't it make much more sense if users took more control and responsibility of the certs in their root store? Wouldn't it make more sense to restrict CAs to certain domains? I would be okay with a EU sanctioned CA if it could only assert authenticity of EU services, but not shops or whitehouse.gov. I've always felt that it would make much more sense if CAs were much more restricted to specific "trust use cases".
- for a CA that is business (or a non-profit), trust is their product, and if Let's Encrypt fails at it's job then clients can go elsewhere
- not sure but in EU I would assume they are going to install all member states' CA certificates into all browsers, so then EU member state government A can MITM a connection for a citizen of member state B
- even if a website has a certificate from any current provider, any EU government can still MITM a user without the company knowing
Also, as it's technically possible to combat the legislation then how much would it actually help, wouldn't any "criminal" pay attention to it too, e.g by using an appropriate browser?
If some government sites want to use their CA that's one thing but what matters to identify you is the key stored in your ID card
https://data.consilium.europa.eu/doc/document/ST-14959-2022-...
Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.
For non-tech people I am pretty sure someone could write a program that does this automatically - like two buttons, one saying you need to access the government and another that says you don't want to access the government anymore.
Deleted Comment
If it's mandated, it isn't trust. It's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
My only question is whether they truly don't understand this, do understand it but don't care, or are actively interested in destroying that trust.