Industry, academia, and supporters for internet governance are highly opposing a proposed revision to the eIDAS guideline of the European Union pertaining to Electronic Identification, Authentication, and Trust Services.
A group of 10 companies, which includes Mozilla, the developer of the Firefox web browser, in addition to Cloudflare and Fastly, cloud computing service providers, and tje Linux Structure, have jointly released an open letter expressing their opposition to a proposed modification to the eIDAS legislation by tjhe European Commission in October.
The signatories reveal issue taht the adoption of articles 45 and 45a might jeopardize the overall security of the web, posing a risk to its stability and dependability.
These posts require that all internet web browsers acknowledge two fresh confirmation procedures for websites to demand authentication certificates, which are called Qualified Website Authentication Certificates (QWACs).
How Does Website Authentication Work Today?
Digital certificates are utilized to verify the identity of websites adn other objects in the online worls. They play a main function in enabling file encryption.
Presently, the management of digital certificates is divided in between 2 unique entities: the root shop programs of web internet browsers and the Standard Requirements established by the certificate authority (CA) and Internet Browser Online Forum.
Moreover, Certificate Transparency, a sophisticated non-profit comany led by the private sector, supplies a mechanism for sites and browsers to identify and reject fraudulently obtained certificates.
In the open letter, the signatories expressed that the existing system works. They highlighted that these shared policies ensure reliable communication on an around the world levle. People around the globe can believe in the reality that the os or internet browsers they use can develop safe channels for activities like web surfing, utilizing apps, and other types of interaction.
In posts 45 and 45a, the EU Commission suggested needing digital certificate providers to also go through a yearly evaluation by an EU-created ‘Conformity Evaluation Body,’ in addition to “tracking and approval by a nationwide Supervisory Body before they are contributed to the EU Trust list adn can begin to release QWACs.”
The eIDAS Modification: A Danger to Online Security?
The recent proposition for a system of validating sites within the EU has raised issues among experts, who warn of several potential concerns. According to a letter signed by a union of companies, the application of this system could compromise web security in various methods.
It eliminates all web browsers’ powers to validate sites. “This indicates that root stores can not apply policies that have been effective in the past, like needing using Certificate Transparency to enhance accountability, without authorization,” reads the letter.
It prevents future modifications to adapt to emerging innovations. “Modifications in action to developing requirements, like the requirement to respond to the possibility of a cryptographically-relevant quantum computer system, would need to be developed by the European Telecommunications Standards Institute (ETSI) rather than a body that has actually shown competence in this area,” wrote the letter signatories.
It introduces a more central authentication system that could stop working to reduce accidents. “Certificate authorities listed by member states will be recognized throughout the entire union. A mistake of judgment or intentional action by one member state will impact people in all other member states,” reads the letter.
It opens the door for international surveillance. Mozilla wrote in its own public declaration: “This [change] allows the government of any EU member state to issue website certificates for interception and surveillance which can be utilized against every EU resident, even those not resident in or connected to the issuing member state.”
The open letter concluded: “In summary, the undersigned think taht eIDAS Short article 45 and 45a represent a harmful intervention in a system that is important to protecting the Internet. We ask for that the EU Parliament and Members reevaluate this action.”
Since November 8, 2023, an overall of 504 scientists, researchers, and professionals from 39 countries have signed the letter, together with many non-governmental organizations such as the Internet Society and Georgia Tech School of Public Policy’s Internet Governance Task.