Encryption & Key Management
,
Security Operations
,
Standards, Regulations & Compliance
Cybersecurity Concerns Persist Over the Revised eIDAS Web Certificate Mandate
European Union lawmakers and trading bloc governments reached a provisional agreement on a revised identity framework intended to digitize access to key public services for the majority of Europeans by the start of the next decade.
See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases
The Wednesday announcement by the European Parliament and Council puts a revision to the electronic identification and trust services regulations – better known as eIDAS – within striking distance of enactment. A final text of the proposal will be submitted for approval by the Parliament and council of members states for final approval.
Under the new initiative, the European Commission anticipates that by 2030, 8 in 10 Europeans will be able to use digital identity to access different online services. Backers say free digital wallets linked to national digital identities will take the place of physical copies of driver’s licenses and educational credentials. “Citizens will be able to prove their identity and share electronic documents from their digital wallets with a click of a button on their mobile phone,” the European Council said.
The update is not universally welcomed by cybersecurity experts, some of whom chafe at a requirement for web browsers to accept online certificates displaying the identity of the organization that owns the site (see: Browser Makers and EU Face Off Over QWACs).
The EU’s proposal for qualified web authentication certificates, more commonly known as QWACs, would place into root stores certificates issued by entities designated by European governments as qualified trust service providers.
Browsers makers – including Mozilla, Apple and Google – have objected, and Mozilla has become the public face of browser opposition. “The root store programs operated by web browsers and operating systems are the core of internet security,” it and other organizations, including Cloudflare, said in a Nov. 2 letter. A bad certificate issued by one European country “will affect citizens in all other member states.”
The opponents also objected to the role of the European Telecommunications Standards Institute in setting standards for QWACs. “This means that root stores cannot apply policies that have been effective in the past, like requiring the use of Certificate Transparency to improve accountability, without permission,” they said.
European lawmakers have sought to mollify browser makers by including language allowing them to revoke QWACs, but the opponents said that would still give too much power to European certificate authorities.
Wednesday’s announcement says the final proposal preserves “well-established industry security rules and standards.” A Mozilla spokesperson told Information Security Media Group that “how this could have been achieved is difficult to see.”
“We cannot assess the impact of such changes until the text is made public,” the spokesperson said. “Until then, we will continue to engage to ensure that eIDAS will not enable surveillance and interception of web traffic,” since whoever issues certificates can potentially decrypt certificate-encrypted information.