by Odin Landers
Introduction
The European Union is set up to implement eIDAS 2.0, the newest version of the electronic IDentification, Authentication and Trust Services regulation framework. Within it lies the statement “Qualified certificates for website authentication issued in accordance with paragraph 1 shall be recognised by web-browsers”. But what is a “qualified certificate for website authentication” (QWAC)? And what does this mean in practice?
Background
In the beginning, there was HTTP, the “HyperText Transfer Protocol”, which formed the backbone of the internet, and it was good. Whenever you go to a website, the HTTP protocol is what underlies your connection and is responsible for sending you the contents of the page, such as the hypertext markup, images, and any scripts or stylesheets that the page requires.
And then there was the realization that the HTTP protocol did not use encryption, and therefore anything with enough access could tamper or transparently sleuth with the connection, and although it was very funny, people realized that more security was needed. Therefore, HTTPS, the “HyperText Transport Protocol Secure” was born in 1994, and it was good.
HyperText Transport Protocol Secure
HTTPS solved a crucial problem with HTTP: the lack of encryption. This stopped people from being able to mess with the traffic, but there’s a small catch: anyone who had the power previously to modify the traffic could, in theory, still tamper with it by pretending to be an intermediary between users and remote hosts. This is known as a Man in the Middle (MITM) attack. The solution to this was to designate a large number of companies as “Certificate Authorities”. Certificate Authorities provide SSL (Secure Socket Layer) certificates to websites that they have validated the identity of, which are used to encrypt traffic. Only the certificate holder and the body issuing the certificate may decrypt the traffic from the user. Web browsers only trust a set of Certificate Authorities, meaning that a MITM attack will fail, as they have no valid certificate to present to the user.
The integrity of the Certificate Authorities is important: even a single compromised or malicious Certificate Authority can issue certificates for any website, which could then be used to intercept traffic for any adversary who controls them and can execute a MITM attack. Likewise, all Certificate Authorities go through a strict vetting process by most browser manufacturers, and must publish all certificates they generate to a Certificate Transparency (CT) log to be deemed valid. This log is publicly viewable, and it holds the CAs accountable.
Extended Validation (EV) certificates and Let’s Encrypt
Certificate Authorities most commonly used to be run as businesses. (More on that later.) Therefore, they charge money for SSL certificates, and more money for what are known as “Extended Validation” (EV) certificates. Extended Validation certificates are a sort of “premium” certificate; they state that not only is the identity of the website owner validated by the CA, but it is validated to be a specific person or corporate entity. This information would typically be shown in the address bar (seen above), as a safeguard against phishing (a website impersonating another for the purposes of stealing information). Nowadays, while EV certificates still exist, all browsers don’t show the information as part of the address bar anymore due to it not fulfilling its specific purpose.
Furthermore, a non-profit known as Let’s Encrypt started offering free SSL certificates to boost HTTPS adoption, making most of the business model of CAs irrelevant. This made EV certificates even more pointless, as they were now infrequent to the point where most users didn’t even know what they were.
Article 45
In Article 45 of the eIDAS regulations, it states that:
‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in Annex IV;
National trusted lists should confirm the qualified status of website authentication services and of their trust service providers, including their full compliance with the requirements of this Regulation with regards to the issuance of qualified certificates for website authentication.
Recognition of QWACs means that the providers of web-browsers should not deny the authenticity of qualified certificates for website authentication attesting the link between the website domain name and the natural or legal person to whom the certificate is issued and confirming the identity of that person.
leaked text of Article 45 of eIDAS from Scott Helme
Qualified certificates for website authentication issued in accordance with paragraph 1 shall be recognised by web-browsers. Web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner.
Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1.
Now with the above information, it’s plain to see what a “qualified certificate for website authentication” (QWAC) is. QWACs are, essentially, government-mandated EV certificates. They must be issued by “national trusted lists”, and web browsers must accept them and show the additional identity information they contain.
In theory, the government taking over the jobs of the CAs doesn’t sound too bad, as they’d be better equipped to verify identities, right? Well, you’d think so, but there are several obvious flaws in this plan. First of all, it hands over the keys to the CA system directly to the government. This is bad, because it grants governments the power to snoop on all Internet traffic. Giving them any type of CA permissions essentially grants them all based on what was described above. (There’s a version of article 45 that claims to solve this, but it simply doesn’t.) Then, it mandates that web browsers must accept the authenticity of these certificates. Depending on what school of thought you subscribe to, this is bordering on a free speech violation, if you consider software speech. And lastly, it mandates that they “shall not be subject to any mandatory requirements”, effectively smashing down the protections of the Certificate Transparency system.
Controversy
Obviously enough, this led to public outcry. Google and the EFF had a rare moment where they agreed for once and wrote very strongly worded public letters aimed at lawmakers. This lead to the European Signature Dialog publishing a document, where they decry their letters as misinformation. Most of the meat of the document boils down to the opposition making a very good point, and then the ESD replies with a succinct refutation containing very little more than “no, it wouldn’t.” on the page several hundred times.
This becomes far more curious when you look into who the ESD is, and why they’re pushing for this so strongly.
European Signature Dialog aims to connect major European Trust Service Providers to share best practices, develop a common industry viewpoint on regulatory issues and empower European solutions for guaranteed data-security.
The European Signature Dialog’s LinkedIn page
As a surprise to probably nobody, it’s an EU lobbying group made up of “European Trust Service Providers” (read: CAs). This move effectively cements their business model into law, as government-approved Certificate Authorities can issue these QWACs that are now legally binding. Britain also adopted the same Article 45 and indeed most of eIDAS 2.0 in general, so you’re not safe there either.
Conclusion
The 45th article of the EU Digital Identity framework and its consequences, if passed into law, will be a disaster for privacy on the Internet. According to europa.eu, on November 8, 2023, the European Council and Parliament reached an agreement on eIDAS and presumably article 45 (they’re in favor) and there’s not much now to be done about it. It raises serious questions about the future of government surveillance and free speech, and is a reflection of the sad fact that you can apparently get anything into proposed legislation if you lobby hard enough.
Sources
https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years
https://scotthelme.co.uk/what-the-qwac/
https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-framework-eidas-another-kind-of-chat-control
https://pete.ex-parrot.com/upside-down-ternet.html
https://www.thawte.com/assets/products/images/thawte-ev-bar-examples.jpg
https://www.bleepingcomputer.com/news/software/chrome-and-firefox-changes-spark-the-end-of-ev-certificates/
https://letsencrypt.org/
https://security.googleblog.com/2023/11/qualified-certificates-with-qualified.html
https://www.european-signature-dialog.eu/ESD_answer_to_Mozilla_misinformation_campaign.pdf
https://www.linkedin.com/company/european-signature-dialog
https://www.legislation.gov.uk/eur/2014/910/contents
https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation
RIT Cyber Security Policy and Law Class Blog 
Testing to see if the comments work…