{"id":1845,"date":"2020-10-08T05:42:24","date_gmt":"2020-10-08T13:42:24","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1845"},"modified":"2020-10-08T05:42:24","modified_gmt":"2020-10-08T13:42:24","slug":"the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/","title":{"rendered":"The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Since its founding in 1998, Mozilla has championed human-rights-compliant innovation as well as choice, control, and privacy for people on the Internet. We have worked hard to actualise this belief for the billions of users on the Web by actively leading and participating in the creation of Web standards that drive the Internet. We recently submitted our thoughts to the European Commission on its survey and public consultation regarding the <\/span><a href=\"https:\/\/ec.europa.eu\/digital-single-market\/en\/discover-eidas\"><span style=\"font-weight: 400;\">eIDAS regulation<\/span><\/a><span style=\"font-weight: 400;\">, advocating for an interpretation of eIDAS that is better for user security and retains innovation and interoperability of the global Internet.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Given our background in the creation of the Transport Layer Security (TLS) standard for website security, we believe that mandating an interpretation of eIDAS that requires Qualified Website Authentication Certificates (<\/span><a href=\"https:\/\/ec.europa.eu\/futurium\/en\/blog\/commission-runs-pilot-project-qualified-web-authentication-certificates-qwacs\"><span style=\"font-weight: 400;\">QWACs<\/span><\/a><span style=\"font-weight: 400;\">) to be bound with TLS certificates is deeply concerning. Along with weakening user security, it will cause serious harm to the single European digital market and its place within the global internet.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Some high-level reasons for this position, as elucidated in our <\/span><a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2020\/10\/2020-10-01-eIDAS-Open-Public-Consultation-EU-Commission-.pdf\"><span style=\"font-weight: 400;\">multiple<\/span><\/a><span style=\"font-weight: 400;\"> recent <\/span><a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2020\/09\/Mozilla-Attachment-to-the-European-Commission-Review-of-eIDAS.pdf\"><span style=\"font-weight: 400;\">submissions<\/span><\/a><span style=\"font-weight: 400;\"> to the European Commission survey, are:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><b>It violates the eIDAS Requirements: <\/b><span style=\"font-weight: 400;\">The cryptographic binding of a QWAC to a connection or TLS certificate will <\/span><b>violate several provisions of the eIDAS regulation,<\/b><span style=\"font-weight: 400;\"> including Recital 67 (website authentication), Recital 27 (technological neutrality), and Recital 72 (interoperability). The move to cryptographically bind a QWAC to a connection or TLS certificate will negate this wise consideration and go against the legislative intent of the Council.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>It will undermine technical neutrality and interoperability:\u00a0 <\/b><span style=\"font-weight: 400;\">Mandating TLS binding with QWACs will hinder <\/span><b>technological neutrality and interoperability<\/b><span style=\"font-weight: 400;\">, as it will go against established best practices which have successfully helped keep the Web secure for the past two decades. Apart from being central to the goals of the eIDAS regulation itself, technological neutrality and interoperability are the pillars upon which innovation and competition take place on the web. Limiting them will severely hinder the ability of the EU digital single market to remain competitive within the global economy in a safe and secure manner.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>It will undermine privacy for end users:<\/b><span style=\"font-weight: 400;\"> Validating QWACs, as currently envisaged by ETSI, poses serious privacy risks<\/span> <span style=\"font-weight: 400;\">to end users. In particular, the proposal uses validation procedures or protocols that would reveal a user\u2019s browsing activity to a third-party validation service. This third party service would be in a position to track and profile users based on this information. Even if this were to be limited by policy, this information is largely indistinguishable from a privacy-problematic tracking technique known as \u201clink decoration\u201d.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>It will create dangerous security risks for the Web: <\/b><span style=\"font-weight: 400;\">It has been repeatedly suggested that Trust Service Providers (TSPs) who issue QWACs under the eIDAS regulation automatically be included in the root certificate authority (CA) stores of all browsers. Such a move will amount to forced website certificate whitelisting by government dictate and will <\/span><b>irremediably harm users\u2019 safety and security. <\/b><span style=\"font-weight: 400;\">It goes against established best practices of website authentication that have been created by consensus from the varied experiences of the Internet\u2019s explosive growth. The technical and policy requirements for a TSP to be included in the root CA store of Mozilla Firefox, for example, compare much more favourably than the framework created by the eIDAS for TSPs. They are more transparent, have more stringent audit requirements and provide for improved public oversight as compared to what eIDAS requires of TSPs.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">As stated in our <\/span><a href=\"https:\/\/www.mozilla.org\/en-US\/about\/manifesto\/\"><span style=\"font-weight: 400;\">Manifesto<\/span><\/a><span style=\"font-weight: 400;\"> and our <\/span><a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2020\/01\/Mozilla-Digital-ID-White-Paper.pdf\"><span style=\"font-weight: 400;\">white paper<\/span><\/a><span style=\"font-weight: 400;\"> on bringing openness to digital identity, we believe individuals&#8217; security and privacy on the Internet are fundamental and must not be treated as optional. The eIDAS regulation (even if inadvertently) using TLS certificates, enabling tracking, and requiring a de-facto whitelisting of TLS certificate issuers on the direction of government agencies is fundamentally incompatible with this vision of a secure and open Internet. We look forward to working with the Commission to achieve the objectives of eIDAS without harming the Open Web.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since its founding in 1998, Mozilla has championed human-rights-compliant innovation as well as choice, control, and privacy for people on the Internet. We have worked hard to actualise this belief &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/\">Read more<\/a><\/p>\n","protected":false},"author":1759,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[283198,585,8633,15890,69,298],"tags":[],"coauthors":[327272,452979],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web - Open Policy &amp; Advocacy<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Udbhav Tiwari, Ben Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/\",\"name\":\"The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web - Open Policy &amp; Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2020-10-08T13:42:24+00:00\",\"dateModified\":\"2020-10-08T13:42:24+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/db15b43341560ad886176e33d6803b9e\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy &amp; Advocacy\",\"description\":\"Mozilla&#039;s official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/db15b43341560ad886176e33d6803b9e\",\"name\":\"Udbhav Tiwari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/f699f32e51f4160a4535df8e4fee7f12\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4f8624c8f8ea1e841eaa162ab2a2c0ce?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4f8624c8f8ea1e841eaa162ab2a2c0ce?s=96&d=mm&r=g\",\"caption\":\"Udbhav Tiwari\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web - Open Policy &amp; Advocacy","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/","twitter_misc":{"Written by":"Udbhav Tiwari, Ben Wilson","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/","name":"The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web - Open Policy &amp; Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2020-10-08T13:42:24+00:00","dateModified":"2020-10-08T13:42:24+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/db15b43341560ad886176e33d6803b9e"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/10\/08\/the-eus-current-approach-to-qwacs-qualified-website-authentication-certificates-will-undermine-security-on-the-open-web\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"The EU\u2019s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy &amp; Advocacy","description":"Mozilla&#039;s official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/db15b43341560ad886176e33d6803b9e","name":"Udbhav Tiwari","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/f699f32e51f4160a4535df8e4fee7f12","url":"https:\/\/secure.gravatar.com\/avatar\/4f8624c8f8ea1e841eaa162ab2a2c0ce?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4f8624c8f8ea1e841eaa162ab2a2c0ce?s=96&d=mm&r=g","caption":"Udbhav Tiwari"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1845"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1759"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=1845"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1845\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=1845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=1845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=1845"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=1845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}