You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c10bc945-4b0c-4fcd-b438-98b0e4364f8bn%40mozilla.org.
I would like to bring in a different view on the whole topic. In April this year this article https://rdcu.be/cJQpU on Qualified Certificates for Website Authentication (QWAC) was published in the journal Datenschutz und Datensicherheit (data protection and data security) . We explained why QWACs can help to protect the user in European Union, why the QWAC is an important feature of the security of the digital infrastructure in the EU, and why the new proposal of the commission is a step in the right direction. In the article, there are preliminary suggestions for how to implement the new article 45 proposal.
"This campaign has been developed by Mozilla to help drive industry reform. Learn more about Security Risk Ahead and our business at www.mozilla.com. This website is operated by Hill+Knowlton Strategies | July 2022"
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/E1oCJ2z-0003IQ-1T%40submission02.runbox.
I agree with Dimitris’ disappointment with Mozilla for setting up such a misleading website – this is harmful to Mozilla’s reputation.
Mozilla, on behalf of the browsers, is lobbying against legislation now before the EU Parliament intended to amend various parts of the 2014 eIDAS statute (“electronic IDentification, Authentication and trust Services” in the European Union). The legislation covers many subjects, but Mozilla’s attacks are on the updates to Article 45 covering Qualified Web Authentication Certificates (QWACs). QWACs are similar to Extended Validation (EV) Certificates (they strongly identify the owner of a website through the TLS encryption certificate), but with additional security safeguards for consumers.
QWACs are only issued by Qualified Trust Service Providers (QTSPs), which are Certification Authorities (CAs) established in the EU who must follow ALL of the SAME CA/Browser Forum requirements as every other CA in the world (including those browsers who are also CAs, such as Google). QTSPs must follow additional ETSI technical standards not applicable to other CAs, and are continuously monitored by their ETSI auditors.
Finally, QTSPs and their trust services must also be approved by a national supervisory body before they can be listed on the EU Trust List and offer services like QWACs to the EU public. https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home
Why does the EU want these changes to existing eIDAS Article 45? The EU is strongly committed to its own “digital sovereignty” to protect EU consumers, and is no longer willing to allow US big tech companies to dictate all the rules of the internet based their own subjective judgment and commercial interests. The EU has asked browsers (including Mozilla) to work with it on these issues since 2015, but the browsers have never been willing to cooperate.
The 2022 changes to eIDAS Article 45 is the result of this lack of browser cooperation over the years, and the grossly misleading website set up Mozilla is just a part of a massive lobbying effort by the browsers to turn the EU Parliament against the proposals of its own EU Commission. Misleading, and very disappointing.
The eIDAS 2 Article 45 legislation includes two main changes to existing EU law on QWACs:
(1) The EU wants browsers who distribute their software in the EU to bring back a common identity UI (like the one they showed to users for QWAC and EV certificates until 2019, when they arbitrarily removed the identity UI) so consumers can know “who they are dealing with” when they provide their personal data (password, credit card number) to a website. EU consumers actually already have a “right to know” who they are dealing with under GDPR and two other EU laws before they provide websites with their personal data. The browsers are not respecting this legal right in their current UIs.
(2) In addition, the EU wants to establish its own “digital sovereignty” for EU citizens through its own EU Trust List for trust service providers – and it does not want US big tech browsers to have the unilateral subjective right to distrust a QTSP based on the browser’s own whim, without applying public and objective standards and a without granting any right to appeal and obtain review of a browser decision by a trusted technical body such as ENISA. For this reason, revised Article 45 requires browsers who distribute their software in the EU to “recognize” QWACs – that’s all.
The browsers are strongly lobbying against these two important EU Article 45 goals, and the Mozilla website is part of this disinformation campaign as described by Dimitris.
Finally, it’s important for the Mozilla community to read the ACTUAL language of eIDAS 2 Article 45 on QWACs that is the subject of Mozilla’s anti-QWAC website. The ACTUAL language is shown below – compare this language to the embarassing disinformation on the Mozilla website:
eIDAS 2 - Recital (32): Website authentication services provide users with assurance that there is a genuine and legitimate entity standing behind the website. Those services contribute to the building of trust and confidence in conducting business online, as users will have confidence in a website that has been authenticated.
The use of website authentication services by websites
is voluntary. However, in order for website authentication to become a means to
increasing trust, providing a better experience for the user and furthering
growth in the internal market, this Regulation lays down minimal security and
liability obligations for the providers of website authentication services and
To that end, web-browsers should ensure support and
interoperability with Qualified certificates for website authentication [QWACs]
pursuant to Regulation (EU) No 910/2014. They should recognise and display
Qualified certificates for website authentication to provide a high level of
assurance, allowing website owners to assert their identity as owners of a
website and users to identify the website owners with a high degree of
certainty. To further promote their usage, public authorities in Member States
should consider incorporating Qualified certificates for website authentication
in their websites. ***
eIDAS 2 - Article 45 - Requirements for qualified certificates for website authentication ***
[1. Specifies what QWACs are – no changes from current law.]
2. Qualified certificates for website authentication [QWACs] *** shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data *** is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with [QWACs] ***.
3. Within 12 months of the entering into force of this Regulation, the Commission shall, by means of implementing acts, provide the specifications and reference numbers of standards for [QWACs]. ***
There's also the multistakeholder governance model to consider.
Creating national legislation to require the Internet work a certain
way breaks that governance model, and makes it much, much harder to
stand up to the next Kazakhstan. Multistakeholder governance and the
lack of Internet police has had its issues, but it has meant that
continued innovation is possible even if it causes a great deal of
losses to a good many entrenched interests. The same cannot be said
for EU lobbying.