12 leaders in the web community sent a letter to MEPs and representatives of the EU Council to express their security concerns over the revised Article 45 of the e-ID Draft Legislative Proposal.
The European Commission’s legislative proposal to amend the Electronic Identification, Authentication and Trust Services (eIDAS) regulation, which dates back to 2014 and aims to secure cross-border transactions, is facing pushback from the web community – particularly regarding Article 45.
The legal inclusion of selected European companies, so-called “Certificate Authorities”, in web browsers’ root programs poses serious threats and weaknesses to web security, the undersigned argue.
Under the revised Article 45, browsers would be forced to accept a system of Qualified Web Authentication Certificates (QWACs) from Certificate Authorities (CAs), irrespective of whether they met the browser’s security standards.
“Unfortunately, this technical requirement is problematic as security teams’ must respond at the speed of evolving cybersecurity threats and incidents, and not be stifled by a legislative provision that would hamper such a timely response,” the letter, sent on Wednesday (6 April), reads.
The letter was signed by high-level internet players such as Vint Cerf, internet pioneer and former chairman of ICANN, and Andrew Sullivan, president and CEO of the Internet Society.
Web authentication is the technical mechanism that ensures that users are visiting the website they want to visit and are not directed to entities masquerading as that website.
In order to do so, users are given a certificate that confirms they are visiting the website they intended to visit. CAs are third parties, appointed by EU governments, that issue such certificates to the websites.
“So it’s a very powerful tool, because if it issues that certificate incorrectly, it means that a malicious party can masquerade as the website that you’re trying to visit,” Marshall Erwin, Head of Trust Intelligence Specialist at Mozilla told EURACTIV.
Thus, CAs have to be trusted and run well.
The problem with QWACs
The critical issue under the draft legislation regards how and under which security standards such certificates should be given. The proposal would enable CAs issuing certain types of certificates, namely QWACs, to be recognised by the browsers, irrespective of the security standards they apply.
The idea of QWACs was established by law in 2014. They ensure that certificates would include further information, not just about the domain one is visiting, but also about the legal entity behind it.
According to various sources, including the Electronic Frontier Foundation, requiring QWACs is problematic because they have been “debunked as an effective way to convey security to users”.
So far, browsers first make sure that CAs satisfy their standards, explained Erwin. However, the idea behind the current proposal is that “this would create a parallel process in which individual states would decide based on an unspecified set of standards,” he said. And Mozilla, for instance, would have to accept this CA.
A dangerous precedent
“Essentially, these are government-mandated Certificate Authorities that we would have to recognise,” said Erwin.
This EU legislation could set a dangerous precedent elsewhere. “I think our biggest concern is that other, repressive regimes or other major powers would follow and essentially take the same approach,” Erwin said.
For example, governments such as the United Arab Emirates or Kazakhstan have previously actively sought to undermine web authentication “by pursuing legislation that would mandate that browsers provide a man in the middle capability by accepting CA’s that don’t meet our standards”, Erwin explained.
“We have successfully pushed back on that globally. But our ability to do so will really be undermined at the point at which the precedent has been set.”
Kate Charlet, Director of Data Governance at Google, told EURACTIV that this would not only set an unsettling precedent but “it would actively expose citizens to increased digital risk at a time when protection is more challenging – and essential – than ever.”
In line with the letter’s signatories, Charlet does not believe that regulatory frameworks should have the effect of preventing organisations from protecting their users from evolving cybercrime and threats.
At the Parliament, the file has been assigned to the Industry, Research and Energy Committee (ITRE). Rapporteur Romana Jerković said that the committee vote on the draft proposal is expected in July.
[Edited by Nathalie Weatherald]