{"id":2110,"date":"2021-11-04T05:54:30","date_gmt":"2021-11-04T13:54:30","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=2110"},"modified":"2021-11-04T07:30:14","modified_gmt":"2021-11-04T15:30:14","slug":"mozilla-publishes-position-paper-on-the-eu-digital-identity-framework","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/","title":{"rendered":"Mozilla publishes position paper on the EU Digital Identity Framework"},"content":{"rendered":"<p>Earlier this year the European Commission unveiled its proposed &#8216;Digital Identity Framework&#8217;, a revision to the 2014 eIDAS regulation. While the draft law includes many welcome provisions on the security and interoperability of digital ID, it also contains a set of provisions that, if adopted, would have a fundamentally negative impact on the website security ecosystem. <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2021\/11\/eIDAS-Position-paper-Mozilla-.pdf\">Our new position paper<\/a> spells out the risks involved in forcing browsers to support a kind of web certificate known as Qualified Web Authentication Certificates (QWACs), and provides recommendations for lawmakers in the European Parliament and EU Council who are presently amending the draft law.<\/p>\n<p>Web browsers are key user agents in our modern digital world. The web browser helps people visit the sites and services they want to use, and it protects them while they are there. One of the most important ways in which browsers protect users is through <b>website authentication<\/b>. For instance, if a person wants to visit Europa.eu, the web browser must reliably ensure that the site is actually under control of the owner of the domain \u2018Europa.eu\u2019, and not an attacker on the network <i>impersonating<\/i> the European Commission\u2019s domain. Absent that assurance, users might send passwords, personal details, and other compromising information to the wrong party, putting them at risk of identity theft, fraud, and other privacy interferences.<\/p>\n<p>An insecure website authentication ecosystem would lead to significant harms, both online and off. Put simply, the trust benefits of website authentication and the ecosystem that underpins it are essential for the Digital Single Market, e-government, as well as to protect the public interest work of journalists, politicians, and human rights defenders.<\/p>\n<p>Unfortunately, the draft eIDAS revision would undermine years of advancements in this space. In a nutshell, the revised Article 45 would force browsers to suspend the \u2018root store\u2019 policies that are essential for maintaining trust and security online. These rigorous and independent policies and vetting practices underpin a system of online trust that is put into practice every single second, and which is fundamental to ensuring the online security of every person on the planet who uses a browser to navigate the web.<\/p>\n<p>At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/extended-validation-ev-certificates-abused-to-create-insanely-believable-phishing-sites\/\">body of research<\/a> has illustrated how the certificate architecture upon which QWACs are inspired \u2013 namely, extended validation certificates \u2013 lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/12\/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is\/\">domain impersonation<\/a>. For that reason, since 2019 <a href=\"https:\/\/www.troyhunt.com\/extended-validation-certificates-are-really-really-dead\/\">no major browser showcases EV certificates directly in the URL address bar.<\/a><\/p>\n<p>As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla&#8217;s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community\u2019s ability to push back against authoritarian regimes\u2019 interference with fundamental rights (see <a href=\"https:\/\/www.zdnet.com\/article\/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate\/\">here<\/a> and <a href=\"https:\/\/slate.com\/technology\/2021\/05\/mauritius-online-speech-government-proxy-servers.html\">here<\/a> for two recent examples).<\/p>\n<p>Fortunately, there is still time to address the problems wrought by this proposal, and <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2021\/11\/eIDAS-Position-paper-Mozilla-.pdf\">our position paper<\/a> includes recommendations for how lawmakers in the European Parliament and EU Council can amend the relevant provisions. As the discussions on the eIDAS revision heat up in the EU Institutions, we\u2019ll be engaging intensively with lawmakers and the broader community to protect trust and security on the web.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this year the European Commission unveiled its proposed &#8216;Digital Identity Framework&#8217;, a revision to the 2014 eIDAS regulation. While the draft law includes many welcome provisions on the security &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/\">Read more<\/a><\/p>\n","protected":false},"author":1559,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[327292,10137,847,69,10136],"tags":[],"coauthors":[318937,327270],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mozilla publishes position paper on the EU Digital Identity Framework - Open Policy &amp; Advocacy<\/title>\n<meta name=\"description\" content=\"The EU is considering a draft law that has serious ramifications for the website security ecosystem. We have recommendations for how to fix it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Owen Bennett, Udbhav Tiwari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/\",\"name\":\"Mozilla publishes position paper on the EU Digital Identity Framework - Open Policy &amp; Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2021-11-04T13:54:30+00:00\",\"dateModified\":\"2021-11-04T15:30:14+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63\"},\"description\":\"The EU is considering a draft law that has serious ramifications for the website security ecosystem. We have recommendations for how to fix it.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mozilla publishes position paper on the EU Digital Identity Framework\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy &amp; Advocacy\",\"description\":\"Mozilla&#039;s official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63\",\"name\":\"Owen Bennett\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/e46a666e0d8a768b13461b5a1539a34a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g\",\"caption\":\"Owen Bennett\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla publishes position paper on the EU Digital Identity Framework - Open Policy &amp; Advocacy","description":"The EU is considering a draft law that has serious ramifications for the website security ecosystem. We have recommendations for how to fix it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/","twitter_misc":{"Written by":"Owen Bennett, Udbhav Tiwari","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/","name":"Mozilla publishes position paper on the EU Digital Identity Framework - Open Policy &amp; Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2021-11-04T13:54:30+00:00","dateModified":"2021-11-04T15:30:14+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63"},"description":"The EU is considering a draft law that has serious ramifications for the website security ecosystem. We have recommendations for how to fix it.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2021\/11\/04\/mozilla-publishes-position-paper-on-the-eu-digital-identity-framework\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"Mozilla publishes position paper on the EU Digital Identity Framework"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy &amp; Advocacy","description":"Mozilla&#039;s official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63","name":"Owen Bennett","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/e46a666e0d8a768b13461b5a1539a34a","url":"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g","caption":"Owen Bennett"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/2110"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1559"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=2110"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/2110\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=2110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=2110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=2110"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=2110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}