I wonder whether site operators could mitigate this by using SPF-like DNS records to say which cert authorities their site uses. It's of course possible for a sophisticated attacker to try to interfere with such a workaround but:
1) The DNS ecosystem is messy with OS, browser and cached records. This makes it very annoying and slow for attackers to target anything but individual users.
2) Browser vendors, if needed, could verify such DNS records in an EU free connection for most sites.
3) Scanners could compare DNS records to results in EU based browser requests and alert the public.
4) Sites with greater concern could additionally post information about which certs their site uses in other public locations like HTML meta tags, public databases, or even centralised locations like search consoles & app stores.
This isn't as elegant as the current system of certificate transparency, but meaningfully raises the costs of MITM'ing connections in an environment where eIDAS is enforced.
1) The DNS ecosystem is messy with OS, browser and cached records. This makes it very annoying and slow for attackers to target anything but individual users.
2) Browser vendors, if needed, could verify such DNS records in an EU free connection for most sites.
3) Scanners could compare DNS records to results in EU based browser requests and alert the public.
4) Sites with greater concern could additionally post information about which certs their site uses in other public locations like HTML meta tags, public databases, or even centralised locations like search consoles & app stores.
This isn't as elegant as the current system of certificate transparency, but meaningfully raises the costs of MITM'ing connections in an environment where eIDAS is enforced.