Mozilla Campaign: securityriskahead.eu

848 views
Skip to first unread message

Kathleen Wilson

unread,
Jul 13, 2022, 6:08:19 PM7/13/22
to dev-secur...@mozilla.org
All,

This is just FYI that Mozilla has launched a campaign called "Security Risk Ahead" to provide information about eIDAS article 45.2, which (as currently written) could force browsers to accept QWACs even when they do not fully comply with browser root store requirements.


Cheers,
Kathleen


Phillip Hallam-Baker

unread,
Jul 14, 2022, 8:30:17 AM7/14/22
to Kathleen Wilson, dev-secur...@mozilla.org
As with the Google response, you are taking a very US-centric approach to lobbying that is only going to reduce the chance of influencing the outcome. EU politics are not the same as US politics.

Case in point, the site isn't translated into German, French or Spanish. There aren't very many English speakers left in the EU after Brexit.

Unlike US politicians who are mostly self important numbskulls, most MEPs are very serious people. These are (mostly) the politicians who have complete command of their briefs. They are not going to be convinced by the argument that QWACs represent a threat to the security of the Internet while LetsEncrypt's free certificates with no validation whatsoever are just peachy because that is a really bad argument to try to make.

The EU concern here is that Google is setting itself up to be the monopoly provider of trust in the Web and that eliminating EV certs is a part of that strategy. If you want to influence the outcome of this issue, you need to provide them with an alternative approach to achieving that end. I will explain how to do that at the end, first I have to explain my point of view.


The heart of VeriSign Class 3 and the Extended Validation requirements was establishing the accountability of the subject. It was never about identity. The notion was that if someone is going to be engaged in criminal activity, they would only do so as long as it was profitable. Creating one fake corporate identity is simple, creating disposable identities is deliberately hard. Knowing that you are doing business with a company registered in the US has different risks to one registered in the UK or in Germany and the risks of dealing with a company registered in Nigeria or Russia are very different again.

VeriSign Class 3 and EV both outperformed my expectations. They weren't perfect but security is the management of risk, not risk elimination. Neither Firefox nor Chrome is free from sin either and writing code without security vulnerabilities is a task that is entirely within the scope of the developers while providing the interface between the online world and the offline world is not.


At this point the WebPKI and TLS are over 25 years old and they are the only parts of the Web security infrastructure that actually deliver. The only other Internet security protocol that is close to being a home run is SSH and that is really just SSL for Telnet.

Rather than constantly attacking the only parts of the system that are functional, we would do a lot better to look at how Internet security is failing. The big problem of Web Security is Phishing and that is a problem because we still rely on passwords and the way we make use of passwords is the worst possible way.

The original security goal for the WebPKI was to make shopping online as secure as shopping in bricks and mortar stores. That was all. Online brokerages, banks were not part of it: We only had 40 bit encryption because of the export controls. The whole issue was persuading Visa and Mastercard to let merchants use the Web.

What we missed (well I did at least) was the fact that 95% of Web activity doesn't involve payments and never will (sorry Web3 people). So the WebPKI was overbuilt for 95% of Web sites. But we didn't notice that at first because doing RSA1024 was such a drag on the server that the only people using SSL were the people who really, really needed it.

So now we have a situation where the needs of the 95% of sites that only need lightweight encryption with minimal endpoint authentication are driving the whole show. The WebPKI designed by Michael Baum and Warwick Ford has been more or less dismantled.

Rather than going back, I think we should go forward. The WebPKI was a technology of its day. We were working with limited machines and limited technology. We only ever made authenticating the bank to the customer work, TLS Client auth has never been practical because of the achilles heel of PUBLIC Key Cryptography - we punted on the critical task of managing the private key. And now that the user has dozens of devices, that is a critical problem. Fido overcomes some of the issues of TLS-CA but not the key management one.

I have been telling people that Threshold Key cryptography is the way to address this issue for six years now. First they said go away and write a draft, so I did that. And then they said go away and write code, so I did that. And then they said write an application that uses the code, so I did that.

What I want to do now is to take a look at that code and see if we could use these ideas in existing Web browsers.


My model of the Web is different. In my model, the goal is to put the user in control. So coming back to QWACs, the decision to use QWACs should lie with the user and the user alone. It is not for the browser provider to make that decision. Same for any root store inclusion: it is a user decision.

Now of course, very few users have the ability to make such decisions themselves and the few of us who do do not have the time. So the real issue is that the user should have the ability to delegate that choice to the trust provider of their choice.

In my view, curating CA roots belongs with Anti-Virus, DNS resolution as a personal trust service. When a user acquires a new device, they connect it to their personal account which in turn connects to their chosen trust service provider. The user should have the ability to choose and to re-choose. So if I choose McAfee and they muck up, I can switch to Symantec, or to some open source collaborative effort, or to Microsoft, Google or Apple or whoever else decides to offer such services.


The current code is a command line mode tool that only implements catalogs for bookmarks, contacts, passwords, applications, etc. I will be announcing that at HOPE Friday next:

The main obstacle to implementing the trust service part of the scheme is that it needs to be built around a browser which was impractical until very recently when Microsoft started shipping WebView2:



The Mesh technology means that I can work from the assumption that every device Alice uses is provisioned with the set of private keys and key shares that enable her to do any cryptographic operation I might need. 



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c10bc945-4b0c-4fcd-b438-98b0e4364f8bn%40mozilla.org.

Enrico E.

unread,
Jul 15, 2022, 3:29:47 AM7/15/22
to dev-secur...@mozilla.org, hal...@gmail.com, dev-secur...@mozilla.org, kwi...@mozilla.com

Dear all,

I would like to bring in a different view on the whole topic. In April this year this article https://rdcu.be/cJQpU on Qualified Certificates for Website Authentication (QWAC) was published in the journal Datenschutz und Datensicherheit (data protection and data security) . We explained why QWACs can help to protect the user in European Union, why the QWAC is an important feature of the security of the digital infrastructure in the EU, and why the new proposal of the commission is a step in the right direction. In the article, there are preliminary suggestions for how to implement the new article 45 proposal.

Thanks,

Enrico

Phillip Hallam-Baker

unread,
Jul 15, 2022, 6:32:11 AM7/15/22
to Enrico E., dev-secur...@mozilla.org, kwi...@mozilla.com
I don't necessarily disagree with the argument being made there. But I think it would be best if all three parties (Government, Browser Providers, CAs) moved past the original framing of 'Should Google or Government decide who you trust' because it is the wrong question:

The user should decide who to trust.

As we have seen, Google has unilaterally exercised its ability to drop roots out of its store effectively forcing CAs to shut down or be transferred to other operators. Mozilla might think it has a dog in this fight but it is not really Mozilla that is the target of the very real national security concerns that have been raised.

Looking at those concerns from a US-centric silicon valley libertarian perspective is probably not helpful when the decision makers here are Europeans and their elected representatives.


Moudrick M. Dadashov

unread,
Jul 15, 2022, 7:00:06 AM7/15/22
to Phillip Hallam-Baker, Enrico E., dev-secur...@mozilla.org, kwi...@mozilla.com
Good day, Phillip

If we notice "US-centric" perspective, we should also notice EU-centric perspective that relies on unelected, unaccountable public sector bodies doing "supervisory body business" under patronage of pan-European corporations.

To be more specific let me remind you millions of surrogate QSCDs and QESCs in circulation today - the product of corruption network led by the Swedish telco-banking cartel - the semi-state Telia Company AB (aka corruption academy) and two well known laundromats - Swedbank and SEB.

BTW, the ORGANIZED GROUP has its own embassy in Brussels.

I wish someone from mr. Norbert Sagstetter’s team could join the discussion.

Thanks,
M.D.


Sent from my Galaxy

Dimitris Zacharopoulos

unread,
Jul 15, 2022, 1:36:20 PM7/15/22
to Moudrick M. Dadashov, dev-secur...@mozilla.org
Moudrick,

I don't understand how this is related to the discussion in this thread. If you have a specific concern about an existing TSP, the eIDAS framework allows you to file official complaints to the corresponding SB. If this process fails, you will have a good case to present with specific evidence/facts.

Regarding the Mozilla article, I am disappointed about the fact that it was assigned to a "strategies" company and is loaded with inaccurate and "noisy" statements without any concrete evidence to support the statements made.

"This campaign has been developed by Mozilla to help drive industry reform. Learn more about Security Risk Ahead and our business at www.mozilla.com. This website is operated by Hill+Knowlton Strategies | July 2022"

I was hoping for a more objective and balanced approach. The eIDAS framework is not completely "trash". Can things be improved? Of course they can. But we need specific proposals with proper justification to improve things for the benefit of all Relying Parties. I didn't go through the details of the article because it is already extremely biased with statements like:
  • WHY ARE QWACs A PROBLEM?

  • Why QWACs are not secure

  • Discover how QWACs can put you at risk

  • How QWACs harm online rights

  • How QWACs and eIDAS can harm individual cyber security
  • Online threats in the EU are on the rise
  • How QWACs create risk
  • Help browsers protect you from harm
  • How eIDAS legislation could put fundamental rights at risk
  • eIDAS will open users up to attacks
  • Help browsers protect internet users
which deterred me from reading any further. It almost feels like it tries to "brainwash" readers with statements like that.

I'm also surprised that whoever took money to build this website on behalf of Mozilla, completely ignored the Mozilla principles and manifesto:
  • "We are committed to an internet that elevates critical thinking, reasoned argument, shared knowledge, and verifiable facts."
  • "We are committed to an internet that catalyzes collaboration among diverse communities working together for the common good."
  • and in some ways, it is also related to "Commercial involvement in the development of the internet brings many benefits; a balance between commercial profit and public benefit is critical."
I hardly see any "balance" being promoted in this article.


Dimitris.

Cynthia Revström

unread,
Jul 15, 2022, 1:55:36 PM7/15/22
to Moudrick M. Dadashov, Phillip Hallam-Baker, Enrico E., dev-secur...@mozilla.org, kwi...@mozilla.com
Hi Moudrick,

I really do not understand what your point is here, who are the
"ORGANIZED GROUP" and what kind of relationship are you suggesting
that there is between SEB/Swedbank and Telia?
You are making very vague claims here that I can't even begin to try to verify.

The only real thing I can immediately think of is that they are all
big Swedish companies who are also active in the baltic countries, but
that doesn't mean much on its own.

Yes both SEB and Swedbank have had money laundering issues but I don't
see how that is related to Telia or eIDAS or what this cartel would
be.

-Cynthia

On Fri, Jul 15, 2022 at 1:00 PM 'Moudrick M. Dadashov' via
dev-secur...@mozilla.org <dev-secur...@mozilla.org>
wrote:
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/E1oCJ2z-0003IQ-1T%40submission02.runbox.

Cynthia Revström

unread,
Jul 15, 2022, 2:20:51 PM7/15/22
to Dimitris Zacharopoulos, Moudrick M. Dadashov, dev-secur...@mozilla.org
From what I know about eIDAS (which is less than some others on this
list) I would mostly agree with Dimitris.

Remember that eIDAS doesn't just touch on QWACs and while I personally
don't really get the point of QWACs and don't agree with the idea of
forcing browsers to include CA's that don't follow the CA/B Forum BRs,
eIDAS is a lot more than that.

It also mostly just seems to tell people that Mozilla thinks article
45.2 of the eIDAS regulation is bad without explaining how that
article "works".
I think it would be more helpful if you explained how this power
actually works as just reading article 45.2 on its own says very
little, at least to someone who is not very familiar with reading EU
legislation.

You also need to keep in mind that currently all major browsers used
in the EU are from US-based organizations, so I can see how that could
cause some within the EU to be worried.

I am quite disappointed that Mozilla went to this level which is more
like what I would expect from some soon to be regulated company that
has profit as the sole aim, and not from a not-for-profit
organization.
Maybe it is just a difference in culture in the EU and the US but I am
not a fan of this.

-Cynthia
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a14d716d-a13c-8184-2eb1-9b1e2588a89b%40it.auth.gr.

Moudrick M. Dadashov

unread,
Jul 15, 2022, 2:26:08 PM7/15/22
to Dimitris Zacharopoulos, dev-secur...@mozilla.org
Hi Dmitris,

"I don't understand how this is related to the discussion in this thread."

I just clarified what EU centric perspective means in terms of  
millions of surrogate* QSCDs and QESCs in circulation today.

* Surrogate QESC means any eIDAS Article 28 (1) - (3) non-compliant ESC that is issued as QESC. Similarly its true for QSCDs.

BTW, I'm well aware of EU complaint procedure but its a separate issue - in reality any attempt to initiate investigation fails because of those private embassies mentenioned in my email. In this matter Commission's public clarification should be very helpful.

In short, the EU centric perspective relying on so called SBs doesn't work - its not just SBs under Directive 1999/93/EC (eIDAS), the same is true for data protection, competition and other relevant sectors.

Hope this helped.

Moudrick M. Dadashov

unread,
Jul 15, 2022, 2:36:08 PM7/15/22
to Cynthia Revström, Phillip Hallam-Baker, Enrico E., dev-secur...@mozilla.org, kwi...@mozilla.com
Thanks Cynthia,

Let me shortly answer your question "
I really do not understand what your point is here, who are the
"ORGANIZED GROUP" and what kind of relationship are you suggesting
that there is between SEB/Swedbank and Telia?"

Firstly, today we have millions of surrogate QSCDs and QESCs in circulation issued issued (provisioned) by a TSP fully owned by the Swedish cartel mentioned in my email.

ORGANIZED GROUP means those surrogate QSCDs and QESCs have been delibarately promoted and supported by the corruption infrastructure under control of this cartel. This is the reason why any attempts to initiate appropriate administrative procedure are blocked by "interested parties".

Hope this clarifies how EU centric perspective functions in reality.

Thanks,
M.D.


Sent from my Galaxy


-------- Original message --------
From: "'Cynthia Revström' via dev-secur...@mozilla.org" <dev-secur...@mozilla.org>
Date: 7/15/22 20:55 (GMT+02:00)
To: "Moudrick M. Dadashov" <m...@ssc.lt>

Cynthia Revström

unread,
Jul 15, 2022, 2:46:31 PM7/15/22
to Moudrick M. Dadashov, Phillip Hallam-Baker, Enrico E., dev-secur...@mozilla.org, kwi...@mozilla.com
Sorry, this doesn't really clarify anything at all, there is still no
proof being provided or any claims that are specific enough for me to
verify.

Also I still don't get how what you are talking about is the "EU
centric perspective", not to mention that of course this is going to
be an EU centric discussion as it is EU legislation/regulation.

And most important of all is I don't see how this has anything to do
with the topic for this thread (securityriskahead.eu/QWACs).
Does this have anything to do with Mozilla's campaign or QWACs?

-Cynthia

Moudrick M. Dadashov

unread,
Jul 15, 2022, 3:15:29 PM7/15/22
to Cynthia Revström, Phillip Hallam-Baker, Enrico E., dev-secur...@mozilla.org, kwi...@mozilla.com
Thanks Cynthia,

Sorry, I'm not familiar with your investigation procedure, once its clear, I'll be happy to participate, if invited.

In the meantime:

"there is still no proof being provided or any claims that are specific enough for me to
verify."

Specifi claims: millions of QSCDs in QESCs in circulation today.

As for proof, I'll be happy to participate in any formal investigation.


"Also I still don't get how what you are talking about is the "EU
centric perspective", not to mention that of course this is going to be an EU centric discussion as it is EU legislation/regulation."


And you are right, surrogate QSCDs and QESCs were post factum legitimizied "nationally" despite of their direct competition with Directive 1999/93/EC, eIDAS and other relevant legislation. So the cartel buys whatever national legislation needed with the presumption that "nobody cares".

"And most important of all is I don't see how this has anything to do with the topic for this thread (securityriskahead.eu/QWACs).
Does this have anything to do with Mozilla's campaign or QWACs?"

Depends what you mean by security, if surrogate QSCD/QESC are secure, of course QWACs also should be secure.


Hope this helps.

Kirk Hall

unread,
Jul 15, 2022, 8:20:38 PM7/15/22
to dev-secur...@mozilla.org, ji...@it.auth.gr, dev-secur...@mozilla.org, m...@ssc.lt

I agree with Dimitris’ disappointment with Mozilla for setting up such a misleading website – this is harmful to Mozilla’s reputation.

Mozilla, on behalf of the browsers, is lobbying against legislation now before the EU Parliament intended to amend various parts of the 2014 eIDAS statute (“electronic IDentification, Authentication and trust Services” in the European Union).  The legislation covers many subjects, but Mozilla’s attacks are on the updates to Article 45 covering Qualified Web Authentication Certificates (QWACs).  QWACs are similar to Extended Validation (EV) Certificates (they strongly identify the owner of a website through the TLS encryption certificate), but with additional security safeguards for consumers.

QWACs are only issued by Qualified Trust Service Providers (QTSPs), which are Certification Authorities (CAs) established in the EU who must follow ALL of the SAME CA/Browser Forum requirements as every other CA in the world (including those browsers who are also CAs, such as Google).  QTSPs must follow additional ETSI technical standards not applicable to other CAs, and are continuously monitored by their ETSI auditors. 

Finally, QTSPs and their trust services must also be approved by a national supervisory body before they can be listed on the EU Trust List and offer services like QWACs to the EU public.  https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home

Why does the EU want these changes to existing eIDAS Article 45?  The EU is strongly committed to its own “digital sovereignty” to protect EU consumers, and is no longer willing to allow US big tech companies to dictate all the rules of the internet based their own subjective judgment and commercial interests.  The EU has asked browsers (including Mozilla) to work with it on these issues since 2015, but the browsers have never been willing to cooperate. 

The 2022 changes to eIDAS Article 45 is the result of this lack of browser cooperation over the years, and the grossly misleading website set up Mozilla is just a part of a massive lobbying effort by the browsers to turn the EU Parliament against the proposals of its own EU Commission.  Misleading, and very disappointing.

The eIDAS 2 Article 45 legislation includes two main changes to existing EU law on QWACs:

(1) The EU wants browsers who distribute their software in the EU to bring back a common identity UI (like the one they showed to users for QWAC and EV certificates until 2019, when they arbitrarily removed the identity UI) so consumers can know “who they are dealing with” when they provide their personal data (password, credit card number) to a website.  EU consumers actually already have a “right to know” who they are dealing with under GDPR and two other EU laws before they provide websites with their personal data.  The browsers are not respecting this legal right in their current UIs.

(2) In addition, the EU wants to establish its own “digital sovereignty” for EU citizens through its own EU Trust List for trust service providers – and it does not want US big tech browsers to have the unilateral subjective right to distrust a QTSP based on the browser’s own whim, without applying public and objective standards and a without granting any right to appeal and obtain review of a browser decision by a trusted technical body such as ENISA.  For this reason, revised Article 45 requires browsers who distribute their software in the EU to “recognize” QWACs – that’s all.

The browsers are strongly lobbying against these two important EU Article 45 goals, and the Mozilla website is part of this disinformation campaign as described by Dimitris. 

Finally, it’s important for the Mozilla community to read the ACTUAL language of eIDAS 2 Article 45 on QWACs that is the subject of Mozilla’s anti-QWAC website.  The ACTUAL language is shown below – compare this language to the embarassing disinformation on the Mozilla website:

*****

eIDAS 2 - Recital (32): Website authentication services provide users with assurance that there is a genuine and legitimate entity standing behind the website. Those services contribute to the building of trust and confidence in conducting business online, as users will have confidence in a website that has been authenticated.

The use of website authentication services by websites is voluntary. However, in order for website authentication to become a means to increasing trust, providing a better experience for the user and furthering growth in the internal market, this Regulation lays down minimal security and liability obligations for the providers of website authentication services and their services.

To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication [QWACs] pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty. To further promote their usage, public authorities in Member States should consider incorporating Qualified certificates for website authentication in their websites. ***

eIDAS 2 - Article 45 - Requirements for qualified certificates for website authentication ***

[1. Specifies what QWACs are – no changes from current law.]

2. Qualified certificates for website authentication [QWACs] *** shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data *** is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with [QWACs] ***.

3. Within 12 months of the entering into force of this Regulation, the Commission shall, by means of implementing acts, provide the specifications and reference numbers of standards for [QWACs]. ***

Nick Lamb

unread,
Jul 15, 2022, 10:52:59 PM7/15/22
to dev-secur...@mozilla.org
On Fri, 15 Jul 2022 17:20:38 -0700 (PDT)
Kirk Hall <kirkhal...@gmail.com> wrote:

> Mozilla, on behalf of the browsers

Where do you see this? In what way is Mozilla acting "on behalf of the
[other?] browsers" rather than as itself ?

> QWACs
> are similar to Extended Validation (EV) Certificates (they strongly
> identify the owner of a website through the TLS encryption
> certificate), but with additional security safeguards for consumers.

EV existed because the for-profit CAs wanted a hook to get more money.
EV certificates were not designed to (and did not) achieve what you
seem to have imagined. This lack of technical knowledge is a bad sign.

The way HTTP transactions work, the certificate you're seeing displayed
when you look at a web page will sometimes (in some cases often) not be
the same certificate provided when sending your data to the web site.

> QWACs are only issued by Qualified Trust Service Providers (QTSPs),
> which are Certification Authorities (CAs) established in the EU who
> must follow ALL of the SAME CA/Browser Forum requirements as every
> other CA in the world (including those browsers who are also CAs,
> such as Google).

In practice what matters is public oversight, and not a hierarchy of
abbreviations. That word "Qualified" has a bad history in this context.

> QTSPs must follow additional ETSI technical
> standards not applicable to other CAs, and are continuously monitored
> by their ETSI auditors.

The proof of the pudding is in the eating. Right now there is no
history to suggest this is effective compared to existing policies.

> Finally, QTSPs and their trust services must also be approved by a
> national supervisory body before they can be listed on the EU Trust
> List and offer services like QWACs to the EU public.
> https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home

At best this doesn't help, at worst it actively hinders.

> Why does the EU want these changes to existing eIDAS Article 45? The
> EU is strongly committed to its own “digital sovereignty” to protect
> EU consumers, and is no longer willing to allow US big tech companies
> to dictate all the rules of the internet based their own subjective
> judgment and commercial interests. The EU has asked browsers
> (including Mozilla) to work with it on these issues since 2015, but
> the browsers have never been willing to cooperate.

Understandably nobody wants to make stuff worse just in order to
satisfy EU politicians, especially when of course the blame will all be
placed on the browsers when things go wrong.

If the EU would like "digital sovereignty" through controlling how web
browsers work perhaps it should spend the eye-watering sum of money
needed to write similarly good web browsers and offer them to EU
citizens?

> The 2022 changes to eIDAS Article 45 is the result of this lack of
> browser cooperation over the years, and the grossly misleading
> website set up Mozilla is just a part of a massive lobbying effort by
> the browsers to turn the EU Parliament against the proposals of its
> own EU Commission. Misleading, and very disappointing.

As somebody with more than a little actual knowledge in this area, I
disagree, the site seems to summarise real problems with this eIDAS
article as currently written.

> (1) The EU wants browsers who distribute their software in the EU to
> bring back a common identity UI (like the one they showed to users
> for QWAC and EV certificates until 2019, when they arbitrarily
> removed the identity UI) so consumers can know “who they are dealing
> with” when they provide their personal data (password, credit card
> number) to a website. EU consumers actually already have a “right to
> know” who they are dealing with under GDPR and two other EU laws
> before they provide websites with their personal data. The browsers
> are not respecting this legal right in their current UIs.

The "right to know" does not translate to an obligation on third
parties as you've suggested here. If it did then telecoms companies
would be obliged to prefix incoming calls with detailed information
about who is calling you, just in case you were to answer any questions
on that call. Instead - as a consumer would expect - the web site is
responsible for informing them as to who they are dealing with, just as
a caller would be responsible on the telephone.

Furthermore, the UI "they showed to users for QWAC and EV
certificates" is considered actively misleading, which is one reason it
was deprecated and shouldn't be brought back. It is not surprising that
for-profit entities would seek to have the EU write policy that
increases revenue for them, but really you'd hope that politicians
would be a bit sharper in figuring out the motivation.

That's what EV was about, and that's what this special treatment for
QWAC is about too. The CA does the same work, but they persuade
subscribers now it's worth more money because they were able to have
the browser show a different UI.

Technically, what you're asking (and indeed what the eIDAS documents
seem to imagine getting) is not possible. Into the gap between what they
imagine and what is actually possible falls every consumer who is
victimised by criminals as a result. Does the revised eIDAS article
contain funding to compensate those victims ? It seems not.


> (2) In addition, the EU wants to establish its own “digital
> sovereignty” for EU citizens through its own EU Trust List for trust
> service providers – and it does not want US big tech browsers to have
> the unilateral subjective right to distrust a QTSP based on the
> browser’s own whim, without applying public and objective standards
> and a without granting any right to appeal and obtain review of a
> browser decision by a trusted technical body such as ENISA. For this
> reason, revised Article 45 requires browsers who distribute their
> software in the EU to “recognize” QWACs – that’s all.

The real world effect of this proposal is that there would be more
victims.

EU member states have not proved to be very good in the role you imagine
for them. I suggest reading about DigiNotar. Likewise a "right to
appeal" has the same problem in this context as it would for arresting a
violent criminal. The Dutch government claimed to believe its own services
(operated by DigiNotar) were unaffected (they were actually compromised
too), and it fought in its own courts (against Dutch journalists) to
suppress internal documents showing DigiNotar was completely
compromised and its oversight had been inadequate.

Public oversight is what's needed, and that's what we do around here,
it's why m.d.s.policy is not a private forum for Mozilla's employees,
but instead a public discussion by the community of users, which in
effect is everybody in our increasingly connected world.

eIDAS revisions seek to subvert that, replacing the oversight and
judgement of the Relying Parties (everybody) with the lack of oversight
from EU member states who've got other priorities.

> eIDAS 2 - Recital (32): Website authentication services provide users
> with assurance that there is a genuine and legitimate entity standing
> behind the website. Those services contribute to the building of
> trust and confidence in conducting business online, as users will
> have confidence in a website that has been authenticated.

This is a bad regulation. It could have been written by people who
don't understand the technology they're trying to regulate, but alas I
suspect instead it was written by people who understand perfectly well
that technology but are focused on how best to increase the revenue of
their for-profit company by manipulating politicians.

The thing we know how to actually do, we are already doing. The DNS name
in the URL bar is, in fact, the DNS name of the site you're visiting. If
the EU wants that to reflect a "genuine and legitimate entity" it is
welcome to use the entire TLD it has (.eu) to enforce such rules for DNS
names. I should warn you that similar ideas in the UK were... not
whole-heartedly embraced, the ltd.uk and plc.uk second level domains
are not very popular.

Trying to leverage the X.509 Common Name field to do something else, as
EV is purported to do and as it appears QWACs want to attempt, will not
have the desired effect except in the sense that the "desired effect"
for some of these QTSPs would be to increase their revenue.

Nick.

Watson Ladd

unread,
Jul 15, 2022, 11:06:38 PM7/15/22
to Kirk Hall, dev-secur...@mozilla.org, ji...@it.auth.gr, m...@ssc.lt
On Fri, Jul 15, 2022 at 5:20 PM Kirk Hall <kirkhal...@gmail.com> wrote:
>
> I agree with Dimitris’ disappointment with Mozilla for setting up such a misleading website – this is harmful to Mozilla’s reputation.

Why shouldn't Mozilla lobby about a law that would dramatically affect
the Web PKI and its future?
>
> Mozilla, on behalf of the browsers, is lobbying against legislation now before the EU Parliament intended to amend various parts of the 2014 eIDAS statute (“electronic IDentification, Authentication and trust Services” in the European Union). The legislation covers many subjects, but Mozilla’s attacks are on the updates to Article 45 covering Qualified Web Authentication Certificates (QWACs). QWACs are similar to Extended Validation (EV) Certificates (they strongly identify the owner of a website through the TLS encryption certificate), but with additional security safeguards for consumers.
>
> QWACs are only issued by Qualified Trust Service Providers (QTSPs), which are Certification Authorities (CAs) established in the EU who must follow ALL of the SAME CA/Browser Forum requirements as every other CA in the world (including those browsers who are also CAs, such as Google). QTSPs must follow additional ETSI technical standards not applicable to other CAs, and are continuously monitored by their ETSI auditors.
>
> Finally, QTSPs and their trust services must also be approved by a national supervisory body before they can be listed on the EU Trust List and offer services like QWACs to the EU public. https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home
>
> Why does the EU want these changes to existing eIDAS Article 45? The EU is strongly committed to its own “digital sovereignty” to protect EU consumers, and is no longer willing to allow US big tech companies to dictate all the rules of the internet based their own subjective judgment and commercial interests. The EU has asked browsers (including Mozilla) to work with it on these issues since 2015, but the browsers have never been willing to cooperate.
>
> The 2022 changes to eIDAS Article 45 is the result of this lack of browser cooperation over the years, and the grossly misleading website set up Mozilla is just a part of a massive lobbying effort by the browsers to turn the EU Parliament against the proposals of its own EU Commission. Misleading, and very disappointing.

The Commission is not part of the Parliament: it is intergovernmental
and the Parliament is not.

>
> The eIDAS 2 Article 45 legislation includes two main changes to existing EU law on QWACs:
>
> (1) The EU wants browsers who distribute their software in the EU to bring back a common identity UI (like the one they showed to users for QWAC and EV certificates until 2019, when they arbitrarily removed the identity UI) so consumers can know “who they are dealing with” when they provide their personal data (password, credit card number) to a website. EU consumers actually already have a “right to know” who they are dealing with under GDPR and two other EU laws before they provide websites with their personal data. The browsers are not respecting this legal right in their current UIs.

There has been much research behind the removal of EV. It wasn't
adding value to protecting users, because there is no global notion of
corporate identity, and that's not how domains work and that's not how
companies work. The EU seems to have ignored all of this.

>
> (2) In addition, the EU wants to establish its own “digital sovereignty” for EU citizens through its own EU Trust List for trust service providers – and it does not want US big tech browsers to have the unilateral subjective right to distrust a QTSP based on the browser’s own whim, without applying public and objective standards and a without granting any right to appeal and obtain review of a browser decision by a trusted technical body such as ENISA. For this reason, revised Article 45 requires browsers who distribute their software in the EU to “recognize” QWACs – that’s all.

Root programs have never been entitlements, and it isn't a technical
decision. Browsers need to be able to improve the CA ecosystem, as
Google did by creating certificate transparency and requiring CAs to
use it. It wasn't a CA/B forum requirement until long after, and some
CAs got told they had to use it first. Enshrining a least common
denominator into law, and then prohibiting browsers from adding
additional restrictions means that the Web PKI ecosystem will shift
power from browsers to CAs, who are unmotivated to improve things and
who get to lobby politicians. How does the Web PKI evolve in that
world? That's ignoring the impacts to internet anonymity and access
that the QWACs create.

There's also the multistakeholder governance model to consider.
Creating national legislation to require the Internet work a certain
way breaks that governance model, and makes it much, much harder to
stand up to the next Kazakhstan. Multistakeholder governance and the
lack of Internet police has had its issues, but it has meant that
continued innovation is possible even if it causes a great deal of
losses to a good many entrenched interests. The same cannot be said
for EU lobbying.

Sincerely,
Watson Ladd

Phillip Hallam-Baker

unread,
Jul 16, 2022, 4:15:58 AM7/16/22
to Watson Ladd, Kirk Hall, dev-secur...@mozilla.org, ji...@it.auth.gr, m...@ssc.lt
On Sat, Jul 16, 2022 at 4:06 AM Watson Ladd <watso...@gmail.com> wrote:

There's also the multistakeholder governance model to consider.
Creating national legislation to require the Internet work a certain
way breaks that governance model, and makes it much, much harder to
stand up to the next Kazakhstan. Multistakeholder governance and the
lack of Internet police has had its issues, but it has meant that
continued innovation is possible even if it causes a great deal of
losses to a good many entrenched interests. The same cannot be said
for EU lobbying.

What the browser providers have done here is to strip away every part of the security signal so that users have no way to know which site they are on.

You might think you have really good reasons for doing that, you might think that the bureaucrats behind this proposal are utterly ignorant of the technical issues, you might think a lot of things. But the fact remains that when a user clicks on a link in an email, there is absolutely no reliable way for them to know what site they are connected to. You might think that isn't your problem, on that point you are wrong.

The EU really does not care about your concern about what Kazakhstan might or might not order you to do. What they care about is the security of the Internet experience for EU citizens. And that experience is currently defective.

I proposed EV as a means of fixing that issue. Contrary to claims made, it had nothing to do with boosting profits. When I called the meeting that led to EV, I had been told not to pursue it by the VP of PKI. Fortunately he left for another company and there was a four month gap where Tim Callan and myself pushed EV through at VeriSign while Melhi pushed it as an industry thing.


If you don't want the EU to tell you what you are going to do, you are going to need to provide a different solution to the security gap in the current Internet experience. If you don't like my solution, propose a different one.

The fact you don't like the EV solution is not a problem for the bureaucrats. Their skill as regulators is in persuading industries to adopt practices that lead to their desired outcomes.
Reply all
Reply to author
Forward
0 new messages