A proposed update to the EU’s Electronic Identification, Authentication and Trust Services (eIDAS) regulation is facing strong resistance from industry, academia and internet governance advocates.
On November 2, 10 organizations, including Firefox browser creator Mozilla, cloud computing providers Cloudflare and Fastly and the Linux Foundation, published an open letter opposing an amendment to the eIDAS legislation proposed by the European Commission in October.
Specifically, the signatories warn that two proposed articles, 45 and 45a, “are likely to weaken the security of the Internet as a whole.”
These articles mandate that all web browsers recognize two new authentication processes for websites to apply for authentication certificates – known as Qualified Website Authentication Certificates (QWACs).
How Does Website Authentication Work Today?
Digital certificates are used to authenticate the identity of websites and other objects in cyberspace. They play a central role in enabling encryption.
At present, the issuance and revocation of digital certificates are managed by two types of institutions: the web browsers’ root store programs and the Baseline Requirements of the certificate authority (CA)/Browser Forum.
Additionally, Certificate Transparency, an elaborate private sector-led, non-profit institution, allows websites and browsers to identify and reject falsely issued certificates.
“The current system works. […] These common rules ensure that trustworthy communication is possible at a global scale. People across the planet can trust that the operating systems or browsers they use can establish secure communications for web browsing, apps, and other communications,” wrote the open letter signatories.
In articles 45 and 45a, the EU Commission suggested requiring digital certificate issuers to also go through an annual evaluation by an EU-created ‘Conformity Assessment Body,’ in addition to “monitoring and approval by a national Supervisory Body before they are added to the EU Trust list and can begin to issue QWACs.”
How Could the eIDAS Amendment Harm Internet Security?
According to the letter signatories, the proposed system of authenticating websites within the EU poses various problems, including:
- It takes away all browsers’ powers to authenticate websites. “This means that root stores cannot apply policies that have been effective in the past, like requiring the use of Certificate Transparency to improve accountability, without permission,” reads the letter.
- It hinders future changes to adapt to emerging technologies. “Changes in response to evolving needs, like the need to respond to the possibility of a cryptographically-relevant quantum computer, would need to be developed by the European Telecommunications Standards Institute (ETSI) rather than a body that has demonstrated competence in this area,” wrote the letter signatories.
- It introduces a more centralized authentication system that could fail to mitigate mishaps. “Certificate authorities listed by member states will be recognized across the entire union. An error of judgment or deliberate action by one member state will affect citizens in all other member states,” reads the letter.
- It opens the door for global surveillance. Mozilla wrote in its own public statement: “This [change] enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state.”
The open letter concluded: “In summary, the undersigned believe that eIDAS Article 45 and 45a represent a dangerous intervention in a system that is essential to securing the Internet. We request that the EU Parliament and Members reconsider this action.”
As of November 8, 2023, the letter has been signed by 504 scientists and researchers from 39 countries, as well as numerous NGOs, including the Internet Society and Georgia Tech School of Public Policy’s Internet Governance Project.
