Our question is relatively simple: why is the Let's Encrypt CA not accepted by the European Commission (Eidas)?
For some parts of our business, we have to work with government bodies, and not being able to use Let's Encrypt certificates for this doesn't make sense to us.
Thank you in advance for your help!
because
I am not sure that's actually been approved (it might be in the current year). QWACs are a thing, mandatory inclusion of roots isn't yet (and hopefully never).
What makes you say this?
If you need a QWAC certificate, Let's Encrypt doesn't provide them. But if the EC has strange requirements on DV certificates, that's on them.
Does it really matter though? If you can't use Let's Encrypt there are several other ACME enabled CAs. There will always be political and geographic exceptions.
I looked at the eIDAS website and I still have no idea what it does or what it aims to be/do. Is there some sort of list of accepted CAs?
eIDAS isn't about certificate authorities, it's about digital identity.
In that context, they refer to qualified trust providers. But there seems to be a bit of confusion when this moves from a smartcard ID card to a TLS certificate. In a nutshell that's what QWACs are, EVs on steroid.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG