(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


BREAKING: leaked document from MEPs lays out a delusional, paranoid joint (mis)understanding of how Web standards work, makes demands for Government, not experts, to dictate how Web works / for HTTPS

2023-11-30 11:55:51+00:00

This document is circulating amongst European security academics.

It is a shockingly bad basis for legislation; I was robustly anti-brexit but this makes me glad that we in the UK are “out”, not that Brexit improves matters because it still means that any global communication with an EU website may have its security and integrity violated.

In particular: check out the answers to questions 2, 8, 11, and 12.

Personal perspective: these are not arguments in favour of QWACs, in fact some of the text I would characterise as jingoism and bombast, something like:

“THEY are people who implement web browsers but WE represent the federation of European states and THEREFORE we are surely fit to tell internet security how it should work; also THEY write software and WE cannot currently tell them what to do, and THIS situation is intolerable”

Internet security is like the tides: you can locally shape where they go, yes, but you can’t control the reality of them and how they behave, and global change is not within the remit of humankind – instead change emerges from humankind.

In this case:

We had EV certificates. I am intimately familiar with them. They were a pain in the ass. They were expensive. They did not serve their purpose. It appears that the eIDAS project is captured by entities like the European Signature Dialogue who I’m pretty sure see potential for money in this identity project (edit: to resurrect EV goals as QWACs) not to mention the opportunity to expand it later And then they go try and paint Mozilla in the same terms which most internet activists reserve for Palantir <cough/> And they evidence this with (e.g.) the suggestion that shrinking certificate lifetimes down to 90 days is somehow an anticompetitive practice, as opposed to “minimising a temporal attack surface”. The European CAs feel that they should just be able to issue a certificate for a long time, collect the money and run, (edit: not even bothering to log it publicly in a trustworthy CT log.)

This is appalling, in ways that are too innumerable to describe. I need more coffee and food before fully nitpicking it, unless others beat me to it.

Full plaintext attached below. Previously. Background.

Update: Statement re: Attribution

I believe my sources with as much trust as those people who are cited within the document, demanding that we MUST arbitrarily trust them with the keys to internet safety because they are good guys who will be policed by yet more good guys and who would never do anything to undermine that trust.



If the document suggested that all QWAC certificates would have to obey Web standards and be registered in a public encrypted log, we would mostly/ish not be in this situation.



Trust is complicated like that.

— Page 1 —

Members briefing note on the discussion around Qualified Website Authentication Certificates (QWACs) – Art. 45 of eIDAS Regulation

Despite the successful conclusion of the final trilogue on the eIDAS revision on November 8, an open letter has sparked a controversy around the Article 45 (QWACs) that is threatening to undermine the entire proposal. Subsequent to the publishing of the open letter, an aggressive disinformation campaign has been launched further spreading unfounded accusations.

The open letter claims that the current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens. It further claims that the technical implementation of these QWACs could affect the security of the Internet by interfering with the way in which web-browsers manage security and encrypt communication. The open letter claims that by mandating web-browser to recognize the QWACs, the new Regulation could lead to a breach of encryption and allow to intercept web-traffic.

On top of this, Mozilla has also engaged in its own campaign trying at all costs to preserve the monopoly of the web browsers to set their own rules outside of any regulatory system.

In view of the vote in ITRE on November 28, with this briefing we seek to revert to the facts- based discussion, to better inform Members and to also help with stakeholder communication.

What is a Qualified Website Authentication Certificate (QWAC)?

A QWAC makes it possible to authenticate a website and that confirms that the person or company behind a website is genuine and legitimate. In other words, it gives assurance with a high level of confidence in the identity of the entity standing behind the website, irrespective of the platform used to display it.

As such, QWACs prevent identity fraud, protect the fundamental rights of European consumers in the digital world and are an important part of the European digital trust framework.

Are QWACS new? Articles 45 and 45a mandate that all web browsers recognize a new form of certificate for the purposes of authenticating websites.

Qualified Web Authentication Certificates (QWACs) are not a new form of certificate. They were defined in the original 2014 eIDAS Regulation in the Article 45 as part of Europe’s push for “digital sovereignty” instead of domination by non-European big tech companies. They work in exactly the same way as other forms of website certificates that are also in use.

There is no information to suggests that the use of QWACs since 2014 has led to increase in mass surveillance of citizens by the governments, that they have in any way fragmented the Web or in any way undermined internet’s trust architecture!!!

— Page 2 —

Why is eIDAS mandating recognition of web-browsers by the QWACs?

QWACs are electronic certificates that provide independent assurance of the authenticity of a website by certifying its ownership. It gives the users the assurances that they are interacting with a genuine website helping prevent internet fraud. They, thereby, improve the security and transparency of the internet. As QWACs attest the authenticity of websites, they require the technical support of web-browsers to function correctly.

Since web browsers have not voluntarily recognised QWACs since their creation by the eIDAS regulation in 2014, the Commission has proposed to make this recognition compulsory.

Recognition means that web browsers are required to ensure support and interoperability for the QWACs for the sole purpose of displaying identity data in a user-friendly manner.

Recognition of QWACs implies that browsers shouldn’t question the origin, integrity or data in the certificate.

Who issues QWACs?

QWACs are issued by Qualified Trust Service Providers (QTSPs), under the close supervision of the Member States’ authorities, similarly to all other qualified trust services. National trusted lists may be used to confirm the qualified status of QAWCs and of their trust service providers, including their full compliance with the requirements of this Regulation with regards to the issuance of qualified certificates for website authentication.

Who are Qualified Trust Service Providers (QTSPs)? How do they get their qualified status?

QTSPs are trust service providers who provide one or more qualified trust services and are granted the qualified status by the Member States’ supervisory bodies. Put simply, they are providers of trust services whosehigh level of security, data protection, and compliance are subject to regular independent audits and certifications. As a result, there is greater assurance of the legal validity of their services.

Before a trust services provider is granted a qualified status (QTSP/QTS), it will be subject to a pre-authorization process — the so-called initiation process. QTSPs may only begin to provide the qualified trust service after the qualified status has been granted by the competent supervisory body and indicated in the national trusted list. Before being granted the qualified statues, the QTSP must successfully pass an external assessment (audit) to confirm it fulfills the eIDAS requirements. That audit must be conducted by a conformity assessment body specifically accredited to carry out assessments of a QTSP.

For example: a qualified status in Germany is only granted by the independent supervisory body (e.g. Federal Security Office in Germany) after auditing is completed by a conformity assessment body (e.g. TÜV).

— Page 3 —

Will all European websites be government mandated to use QWACs?

No. The provision and the use of website authentication services, including QWACs, is entirely voluntary and subject to market competition in the domain of website certificates. The use of QWACs is not subject to a government mandate – natural and legal persons are free to choose from a number of different browser certificates currently available on the market, such as EV, OV or DV certificates.

Does the eIDAS Regulation intend to change the way browsers ensure web security?

No. The requirement to recognise QWACs does not, in any way, affect browsers own security policies. Art. 45 leaves it up to the web-browsers to preserve and follow their own procedures and criteria for encryption and authentication of certificates in line with best industry practices.

Amended recital 32 explicitly states that “The obligation of recognition, interoperability and support of QWACs is not to affect the freedom of web-browser providers to ensure web security, domain authentication and the encryption of web traffic in the manner and with the technology they consider most appropriate.”

Do the rules on QWACs facilitate government surveillance of citizens and the interception of web traffic?

No. QWACs are certificates that allow to identify the entity behind a certain website. These certificates are issued by public or private trust service providers as a commercial service. QWACs have no other function than to attest the identity behind a website. Browsers are required to recognize them for the sole purpose of displaying this identity.

The recognition of QWACs does not oblige web-browsers to grant QWACs automatic access to their root stores. The obligation to recognise QWACs does not, therefore, affect browser security policies and leaves them complete freedom to preserve their own procedures and criteria for encryption and authentication of other certificates.

Does the requirement to recognize QWACs in Article 45 make it impossible for web browsers to raise security issues with QWACs?

No. QWACs are trusted electronic certificates issued to common standards by accredited EU trust service providers. The issuance is supervised by national authorities which should act in full compliance with the requirements of the Regulation.

In order to ensure a fully harmonized approach to national supervision and avoid that any Member State would follow lower supervision standards, the eIDAS Regulation foresees the development of specific standards and procedures that will need to be followed by all national supervisory bodies within 12 months of the entering into force of the Regulation.

Should there be security incidents, web-browsers are free to take precautionary measures to protect the security of the Internet. This has en clarified in Recital 32.

It is important to ensure the correct functioning of QWACS. For this reason, the Regulation does not allow Member States or private parties to impose additional requirements to those set in the Regulation. [Article 45(2a)].

— Page 4 —

The prohibition of additional requirements is of course without prejudice to the responsibility of web-browsers to ensure web security, domain authentication and the encryption of web traffic. This has been clarified by co-legislators in recital 32 which includes a provision that the rules on QWACs shall not affect the freedom of web browsers to ensure web security, domain authentication and the encryption of web traffic in the manner and with the technology they consider most appropriate.

What is the procedure for web-browsers to raise security concerns on QWACs? [Article 45a, Recital 32]

In case of substantiated security concerns regarding security or integrity breaches of QWACs, web browsers may take precautionary measures to protect the integrity and security of the internet. Taking such precautionary measures is fully at the discretion of web-browsers and not a specific obligation set in the Regulation.

When taking these precautionary measures, web browsers shall notify all concerned parties and notably the national supervisory body of its concerns and the measures taken.

The national supervisory body will take a decision on the integrity of the QWAC in question and may request it to be withdrawn.

This process is only intended to secure the correct functioning of QWACs in the web environment and does therefore not cover other certificates used by web-browsers to ensure web security, domain authentication and the encryption of web traffic, such as TLS certificates. The Regulation does not introduce general reporting obligations on certificates used by web-browsers.

The independence of web-browsers when it comes to the management of web-security has been clarified by amendments to recital 32. These amendments state that the rules on QWACs shall not affect the freedom of web browsers to ensure web security, domain authentication and the encryption of web traffic in the manner and with the technology they considermost appropriate.

The current system works – why change it?

Amended eIDAS Reuglation creates a balance between the EU and the browsers. Right now, there is no recourse or oversight to browsers’ decisions. Browsers are BOTH competitors of EU Qualified Trust Service Providers (QTSPs) – browsers also issue website certificates to their cloud hosting customers – AND regulators of QTSPs through the browsers’

own root program rules.

Browsers have abused their monopoly regulatory powers in the past and are in the process of doing so again by forcing all website owners and QTSPs to move to automated 90-day website certificates (instead of the current 13-month certificate limit), even though there is widespread opposition in the internet ecosystem.

Under eIDAS, the EU is able to exercise its digital sovereignty to protect EU citizens, but the browsers are also able to (1) participate in future rulemaking and (2) report any certificate problems they encounter from QTSPs to regulatory bodies for investigation. Browsers can

— Page 5 —

…participate in standardization forums like ETSI at any time – and some already do this – to strengthen the rules for the issuance of QWACs if they deem this necessary. Right now, the browsers just do what they want, and there is no recourse or oversight to their decisions. New eIDAS changes that.

The eIDAS Regulation is a law to ensure the digital sovereignty of the EU and to enable the European Digital Single Market. The eIDAS is not a security law and does not give police and security authorities more rights and powers, nor does it lay the foundation for surveillance and data access rights.

The aim of eIDAS is to create trust anchors for digital transactions through strict, comprehensive regulation, which can be trusted comprehensively and generally by anyone involved in legal and business transactions. Any impairment of the status as an anchor of trust and weakening of the level of security is therefore unlawful.

The accusation that EU member states would use this regulation to spy on their citizens is completely absurd.

The suggested danger is purely hypothetical because a system of independent bodies guarantees security. The actions that would need to be taken for this would be costly (there are much simpler procedures for spying on citizens).

An EU member would have to take illegal actions and ruin its reputation. In addition, there would be a high risk of detection of any such attempt.

First of all, the approval of a QTSP already offers a high level of protection: it is only granted by the independent supervisory body (e.g. Federal Security Office in Germany) after auditing by a conformity assessment body (e.g. TÜV). This means that independent parties are still involved.

Second, in order for the suggested danger to occur, an EU member state would have to completely and deliberately put itself in the wrong: It would first have to compromise a QTSP. In addition, the EU Member State would have to ensure that the independent conformity assessment body and (!) the independent supervisory body do not fulfil their inspection and supervisory duties.

Finally, there would also be a risk that the European Commission, which must always be informed, would initiate infringement proceedings against the Member State if the browsers were reported due to security concerns.

Incidentally, browsers are obliged under the US Homeland Security Act to provide data to US intelligence agencies on request.

— Page 6 —

Can Member States follow different security approaches for the Wallet? What is the added value od eIDAS 2.0?
[END]

[1] URL: https://alecmuffett.com/article/108519
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.