EU row over certificate authority mandates continues ahead of rule…
Organisations and companies representing the global tech sector are warning that a regulation adopted by the European Union will undermine security and trust in browsers worldwide, enable state-sponsored web traffic interception, and would be extra-territorial.
The EU proposal, Article 45 of Electronic Identification, Authentication and Trust Services (eIDAS) version 2, mandates Qualified Web Authentication Certificates (QWACs) and has caused an escalating row between the EU and the mostly North American tech sector.
At issue is whether the proposed regulation’s requirement that all browsers use QWACs to “ensure that the identity data provided using any of the methods is displayed in a user-friendly manner” is harmful to the existing Certificate Authority ecosystem.
Various organisations – including Mozilla, Google, Cloudflare, the Linux Foundation and the Internet Society – are warning that if the wording of Article 45 remains unchanged, it would ultimately require all browsers to carry an EU-mandated list of trusted root Certificate Authorities (CAs).
The accusation, put forward in this Mozilla-backed open letter [pdf], is that the regulation in its current wording would force mandated certificates and cryptographic keys on browsers, allowing malicious governments to intercept traffic.
“The current language is imprecise, and risks being interpreted as requiring that browsers recognise the certificate authorities that each EU member state appoints for the purposes of authenticating the domain name of websites,” the letter stated.
“Certificates provided by certificate authorities also secure global commerce in many ways, including email, voice and video, messaging, software delivery, and many other proprietary forms of communication used by businesses”, the letter continued.
Mozilla (among others) noted the rules are effectively extra-territorial, since a user outside Europe would not be able to reach sites carrying QWACs unless they trust the mandated root CA.
The Internet Society (ISOC) last week warned the mechanism “can be used to insert a ‘government root’ certificate, and thereby gain access to all browser sessions secured with those certificates,” adding that this would be “a serious threat to fundamental rights” and “a cyber security threat to the EU.”
Another open letter [pdf], signed by more than 400 scientists and researchers in 33 countries, carries similar warnings, stating that “the current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.”
ISOC and the Electronic Frontiers Foundation also warn that Article 45 blurs the line between a website’s identity and securing communications with that site using Transport Layer Security (TLS).
The EFF said last year: “The eIDAS Article 45 proposal attempts to guarantee the legal and safe identity of the website owner – but that is not the problem TLS was built to solve.”
TLS has to be accessible, the EFF’s statement said, but mandating QWACs “sets TLS deployment back six years” because it requires “all domain owners to have the technical expertise and the monetary resources to self-manage their certificates”.
ISOC said: “The current Article 45 text lacks sufficient clarity and detail about relevant functional differences between QWACs and browser connection certificates.
“If users mistake one for the other, they are likely to make misguided trust decisions based on mistaken assumptions about what each type of certificate ‘means’.”
EU pushback
The EU has been pushing for the use of QWACs for some years.
The EU’s cyber security agency ENISA notes in this 2022 presentation [pdf] that dialogue to get QWACs accepted dates back to 2018.
While calling for reforms such as letting browsers distrust individual bad QWACs, and calling for a transparent body for distrust, ENISA believes Article 45 can be adjusted to make it acceptable to browser vendors.
The European Signature Dialog (ESD), a lobby of EU-based signature providers led by Austrian company A-Trust, hopes to derail opposition to QWACs and has published this statement [pdf] refuting Mozilla’s claims.
“The campaign pushes serious misinformation on the eIDAS legislation in order to block changes to Article 45 covering the EU’s Qualified Web Authentication Certificates,” the ESD said, adding that “the legislation will increase the online security of European citizens.”
The ESD says current certificates do not guarantee users know the identity of website owners, and that this is in breach of the GDPR, which requires that users know who they’re providing personal data to.
About Author
