The Internet Governance Project has signed on to a Joint statement of scientists and NGOs in opposition to Article 45 of the European Union’s eIDAS (Electronic IDentification And trust Services) regulation. Security researchers, digital rights groups and industry all oppose the regulation, as it shifts decision-making authority over whom to trust from browsers to governments. This important change in the Web’s security infrastructure, which appears to us as a solution in search of a problem, risks fragmenting the globalized authentication and encryption methods currently governing web security. Although the EU strenuously denies it, eIDAS also risks decreasing cybersecurity and privacy for Internet users. Indeed, the idea of trusting governments with regulating encryption seems a bit odd at a time when so many governments are trying to break or even ban encryption. Let’s take a closer look.
What is Article 45 of eIDAS?
Article 45 of the eIDAS (Electronic IDentification And trust Services) regulation in the European Union aims to establish requirements and standards for qualified certificates for website authentication. Digital certificates are used to authenticate the identity of websites and other objects in cyberspace. They play a central role in enabling encryption. A ‘Qualified Website Authentication Certificate,’ or QWAC, according to the legislation, is supposed to enhance the security and trustworthiness of website authentication by setting standards for certificate issuance and using the power of regulation to enforce them.
However, there are already exacting standards for the issuance and revocation of digital certificates: the root store programs of browsers, and the Baseline Requirements of the Certificate Authority/Browser Forum. There is also an elaborate private sector-led, nonprofit certificate transparency infrastructure that allows websites and browsers to identify and reject falsely-issued certificates.
In place of this highly efficient and flexible system, the Europeans want to insert two layers of regulation rooted in government bureaucracies. Digital certificate issuers would not only be audited, as they are now, but their auditor would be required to monitor and approve “all system or procedural changes that are made between audits,” and they must also go through an annual evaluation by a EU-created “Conformity Assessment Body,” in addition to “monitoring and approval by a national Supervisory Body” – a governmental Ministry – “before they are added to the EU Trust list and can begin to issue QWACs.” All Article 45 does, then, is force web browsers to recognize and trust certificates that comply with EU regulations, thus shifting power in web authentication from private actors to EU governments.
The EU has not shown that there are any failings in the existing system. Nor has the EU shown that its heavy new QWAC standards are better in any specific dimension than certificates that follow the Baseline Requirements. (In fact, the specific details will be specified by ETSI later.) They are simply proposing to replace the existing system with their own.
Here is a rundown of the provisions of Article 45:
- Recognition by Web Browsers: Web browsers must recognize and trust qualified certificates for website authentication.
- Security Measures: Web browsers are allowed to take necessary and proportionate security measures to address risks of breaches of security, user privacy, and loss of certificate integrity. If such measures are taken, the browser must notify relevant parties.
- User-Friendly Display: Web browsers should display identity data and electronic attributes provided in a user-friendly and consistent manner, reflecting industry standards for accessibility, user awareness, and cybersecurity.
- Support and Interoperability: Web browsers must ensure support and interoperability with qualified certificates for website authentication, except for microenterprises and small enterprises in their first 5 years of providing web-browsing services.
- The criteria specified in Annex IV clarify the data that must be included in these certificates to ensure their high level of assurance and reliability. This includes indicating whether the certificate was issued as Qualified Certificate along with the details of the Trust Service Provider and certificate holder.
Fragmenting the Web
Article 45 of the eIDAS regulation allows each EU member state and recognized third-party countries to designate certificate authorities for mandatory trust. This means that governments have the ability to introduce their own root certificate authorities, and the browsers will have to add them to their root trust stores for European users. In essence, EU governments will now be in control of the trust anchors for European web users. Instead of a globalized trust anchor run by independent non-state actors, we will get territorial ones subject to governmental control.
The EU claims that “QWACs and the companies that issue QWACs are subject to MORE audits and security checks than non-QWAC certificates.” This claim is highly debatable, but misses the real point. As noted before, the EU has not demonstrated any flaws in current standards, nor can they point to major failings that would have been avoided by the (still-to-be-defined) e-IDAS regulation. The question is not how many procedural rules and regulations there are, but rather who makes the call and how rapid and effective are the feedback mechanisms between certificate issuance and trust decisions? The current system puts decision making authority in the hands of the entities who actually operate the Web PKI: the browsers and CAs. The eIDAS regulations would arrogate that authority to the European Commission (but only in the European jurisdiction) and rely entirely on a rigid set of rules and procedures, eliminating the ability of browsers to make independent decisions.
Why should we care about that shift of authority? There are two key differences. One relates to actor incentives. The browsers’ businesses and websites depend heavily on proper authentication of digital certificates. A compromised root certificate creates so many risks to browsers that their incentives are strongly aligned with the interests of their users. They need the flexibility to apply their own standards if they are to trust a certificate, and that is appropriate because they have the most at stake. The governmental entities empowered by the European Commission, on the other hand, are several steps removed from the operation of the Web. The fallout from compromised certificates does not affect them directly. In this case, the incentives of private actors are far more aligned with the public interest than the incentives of regulators and governments.
The second key difference is that the browsers’ scope is global, and EU jurisdiction is territorial. The browsers and the CA/B Forum have created a globally uniform and compatible set of standards and practices. Fragmenting this into different jurisdictions is going to cause complications and incompatibilities, and confusion is always the enemy of security. While the intent of eIDAS is to reduce the frictions of digital trade among EU countries, the Web is already a globally integrated space. There is no “European” Web. The Web already functions as a global unit, and European certificate authorities operate under the same global rules and CAs as everywhere else. Substituting governmental authority for private cooperation simply fragments the global regime. And it could set in motion further fragmentation. If the European Union feels empowered to mandate browser root stores, other governments may feel entitled to do the same in their jurisdiction: India, China or the United States. It is very dangerous to the global Internet to set such a process in motion.
Governmental regulations of certificate authority issuance reduces the flexibility and adaptability of the system.
- Reduced Security Checks
Article 45(2a) in the eIDAS regulation restricts the introduction of security checks on EU web certificates for encrypted web traffic. It effectively sets an upper bound on security measures that cannot be improved upon without the permission of the European Telecommunications Standards Institute (ETSI). This limitation could hinder the adoption of new security technologies and measures that are crucial for enhancing web security.
- Limited Flexibility:
The regulation limits the ability to adapt to evolving threats and emerging security technologies, as mandatory security requirements beyond those specified in ETSI standards are discouraged under 2(a). This could slow down the response to new cybersecurity challenges.
- Certificate Revocation
The mandatory trust requirement of eIDAS massively reduces the flexibility of certificate revocation. Revoking compromised certificates quickly is a key security protection measure. The eIDAS regulation does not provide effective mechanisms to remove QWACs without the government’s approval. The inability of private actors to make their own decisions about trust can hinder the ability to respond rapidly to security problems.
Can we trust governments with our encryption?
A more basic question underlies this debate. The introduction of government-controlled root certificate authorities creates a risk of misuse. Root certificates can be abused, allowing whoever controls the Certificate Authority to spy on the encrypted web traffic of others. State-sponsored CAs may have legitimate security interests in espionage that could lead them to issue fraudulent certificates to enable man-in-the-middle attacks on targeted communications. If European states could issue certificates that browsers are forced to trust, they could use this authority to intercept web traffic, including on non-EU websites. This introduces a potential risk to the privacy and security of internet users. As several hundred experts wrote in the open letter, “…although much of eIDAS2.0 regulation carefully gives citizens the capability to opt out from usage of new services and functionality, this is not the case for Article 45. Every citizen would have to trust those certificates, and thus every citizen would see their online safety threatened. (Para 3, Page 4)
The pathology of digital sovereignty
In the final analysis, the only real justification for the eIDAS regulation is that it is an attempt by the EU to assert digital sovereignty. Sovereignty is a territorially exclusive form of power, and the European Commission’s dreams of asserting more power at the expense of American firms has led it to secede from the global Web PKI system. No positive security value is generated by these new rules; it is all about “US big tech setting the rules for Europe,” as a Commission propaganda piece admits. By establishing its own framework for electronic identification and trust services, the EU aims to reduce reliance on foreign technologies and services while promoting the adoption of European digital identity solutions.
As always, there are special business interests allied with the digital sovereignty game. Whereas Let’s Encrypt and the ACME standard have succeeded in making digital certificates freely available and relatively easy to install, the issuance of QWACs cannot be automated. QWACs can only be issued by a Qualified Trust Service Provider (QTSP), and these certificate authorities must be authorized by EU member states. This validation process involves verifying the legal status of the entity, which typically requires manual checks and documentation reviews to ensure compliance with the requirements, thus consuming more time and resources. This would in turn increase the cost of getting a certificate, creating a high-profit market for European QTSPs. This will effectively eliminate automated and free certificate issuers such as Let’s Encrypt from the EU market unless they change their process significantly. It’s worth mentioning that certain QTSPs are already trusted by web browsers. However, up to this point, browsers have chosen to disregard the language of the eIDAS 2014 bill with regard to accepting QWACs. After the current revisions in eIDAS are enforced, browsers will be legally obligated to support QWACs. This change is less likely to stimulate new national champions than to sustain inefficient firms.
Here again, the precedent set can further compromise web security if more countries implement similar proposals. China’s Personal Information Protection Law (PIPL) was modelled on GDPR, but added government security assessments of cross border data flows. We can expect the eIDAS regulations to serve as a model for other states interested in digital sovereignty. In this case, browsers may face a decision to either ignore national laws, defer trust to States, or support distinct root stores for varied national constituencies.
IGP presentation of their Web PKI research at the Taiwan Internet Governance Forum, October 2023.
REPORT on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity | A9-0038/2023
Open Letter Opposing eIDAS: https://nce.mpi-sp.org/index.php/s/cG88cptFdaDNyRr