QWACS are untrustworthy because they can be issued by a CA that is not publicly audited.
But the way I understand it, a QWAC is an identity certificate, issued to users, not to websites. AIUI, websites are to be compelled to accept such user-certs in lieu of a password. Well, I don't see what that has to do with the contents of the root store - that controls the website identities that my browser will accept, not the user-identity that the website accepts.
I read the position paper, but not the regulation. I'd like to see a better explanation of the regulation.
But the way I understand it, a QWAC is an identity certificate, issued to users, not to websites. AIUI, websites are to be compelled to accept such user-certs in lieu of a password. Well, I don't see what that has to do with the contents of the root store - that controls the website identities that my browser will accept, not the user-identity that the website accepts.
I read the position paper, but not the regulation. I'd like to see a better explanation of the regulation.