Almost 2 years on from the last time I wrote about QWACs, I'm sadly not here to tell you that things have gone well since then. In fact, I'm actually here to tell you that things are not going well at all...
QWAC
Back in Jan 2022, I wrote a blog post that went into details on what a QWAC, or Qualified Website Authentication Certificate, actually is: If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate
TLDR; It's an EV Certificate all over again 🤷♂️
In all seriousness though, that's actually quite a long and detailed post about the shortcomings of a QWAC and why they're just a terrible, terrible idea. They're only being pushed by organisations that would make $$$ selling them (funny that) and it's like the entire mess of EV has been conveniently forgotten. I'm not here to re-tread the same ground, though, I'm here to talk about something even more concerning. You might think "ok, so we have a new type of pointless certificate available", and if that were the case, I wouldn't be writing about it again and we could all just not buy them. The problem is that there's something bigger lurking that really concerns me.
My Concerns
This isn't all just talk for me, having dedicated a huge portion of my life to working in this industry and being so passionate about it, this worries me. It worries me enough that I've signed multiple open letters speaking out against this, with the most recent just a few days ago, and I've even travelled to Brussels to sit alongside Member of European Parliament Karen Melchior, and other industry representatives, to speak against this. I have absolutely no skin in this game, one way or another, but I've seen something that I believe is just fundamentally wrong, and I feel compelled to speak out against it.
eIDAS Article 45 - latest recitals
As we come towards the end of the legal process, we're closing in on the final revisions and final draft of some new regulation coming to the EU called eIDAS. This new regulation contains many things, and it's only one small part of it that I fundamentally oppose, but it will have Global impact, far beyond the borders of any member state of the EU.
Alongside introducing the concept of a QWAC, discussed in my previous blog post, eIDAS is also going to introduce some very concerning requirements that affect the Internet PKI. At the top of my list of concerns is that browser and client vendors (Root Store Operators) will have a legal obligation to add Government mandated Root Certificate Authorities to their Root Stores, bypassing existing approval mechanisms.
Yep, you read that right. Government mandated Root Certificate Authorities...
I could end this blog post right here because anyone reading this will understand the significance of such a statement, and just how much of a catastrophically bad idea that is, but it gets worse. There will also be restrictions placed on Root Store Operators around handling incidents at those Root CAs and possibly removing trust in them for wrongdoing. I cannot stress this enough so I'm going to say it again, this is a terrible idea.
How it works now
The system that we have now is not perfect, by any stretch of the imagination, but it has been improved so much over the years with tireless work from the industry, that where we are now, finally, is a good place.
A browser or device vendor like Apple has a collection of Trusted Root Certificate Authorities that their devices will trust, and in turn, those devices will trust any certificates issued by those Trusted Root CAs. If you want to join this collection of Trusted Root CAs, you have to apply to join the Apple Root Certificate Program and pass some very strict requirements. Of course, this makes sense, because being a Trusted Root CA is a massive responsibility that gives you an enormous amount of power, and Apple want to make sure that their customers aren't going to come to any harm because of your actions. The same goes for all such Root Store Operators like Mozilla, Chrome, Microsoft and many others that operate Trusted Root Programs for their own devices or software. It is in the interest of the software/device vendor to make sure that a Root CA is capable of operating properly because if not, all of that vendor's customers are at serious risk of having their traffic intercepted and decrypted. So, for Apple, their concern is that if a Root CA makes a mistake, the potential outcome is that everyone using an iPhone could have the security of all of their traffic compromised! That's a serious risk, and it's why organisations like Apple take the process of approving Trusted Root CAs so damn seriously.
This is the existing approval mechanism that will be bypassed by this new legislation and the Root Store Operators will be required to accept these European Root CAs without the ability to scrutinise them, or, reject their inclusion.
How it's going to work
I have access to the near-final text of the regulation, which is not yet public, but was leaked to me by a confidential source. I've been looking through the proposed changes and I still see all of the things that have concerned me throughout this entire process. Here are a few snippets from the hundreds of pages that I've read through that still demonstrate my concerns. These snippets outline the definition of a QWAC and that they must be held against the standards set out in the legislation:
‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in Annex IV;
Qualified certificates for website authentication shall meet the requirements laid down in Annex IV.
Evaluation of compliance with those requirements shall be carried out in accordance with the standards and the specifications referred to in paragraph 3.
But if that isn't clear enough for you, the legislation goes on to say:
Qualified certificates for website authentication issued in accordance with paragraph 1 shall be recognised by web-browsers. Web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1
That's pretty clear, and we can still see the same concerns I raised previously about the legislation controlling not only support for, and use of, the Government Mandated Root CAs, but even control over the UI of the browser itself. It goes on:
National trusted lists should confirm the qualified status of website authentication services and of their trust service providers, including their full compliance with the requirements of this Regulation with regards to the issuance of qualified certificates for website authentication. Recognition of QWACs means that the providers of web-browsers should not deny the authenticity of qualified certificates for website authentication attesting the link between the website domain name and the natural or legal person to whom the certificate is issued and confirming the identity of that person. Providers of web-browsers should display in a user-friendly manner the certified identity data and the other attested attributes to the end-user, in the browser environment, by relying on technical implementations of their choice. To that end, providers of web-browsers should ensure support and interoperability with qualified certificates for website authentication issued in full compliance with the requirement of this Regulation.
Again, pressing this idea of a list of Trusted Root CAs that the client vendors must accept and "should not deny the authenticity of". Then, with regards to limiting the ability of a Root Store Operator to audit the behaviour of a Trusted Root CA on an ongoing basis:
In order to contribute to the online security of end-users, providers of web-browsers should be able to take measures, in exceptional circumstances, that are both necessary and proportionate in reaction to substantiated concerns on breaches of security or loss of integrity of an identified certificate or set of certificates. In this case, while taking any such precautionary measures, web browsers should notify without undue delay the national supervisory body and the Commission, the entity to whom the certificate was issued and the qualified trust service provider that issued that certificate or set of certificates of any such concern of a security breach as well as the measures taken relating to a single certificate or a set of certificates. These measures, should be without prejudice to the obligation of the browsers to recognize qualified website authentication certificates in accordance with the national trusted lists.
Then, just to make sure we don't have any tremendously beneficial technologies like Certificate Transparency protecting us, it is clarified that:
Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1.
Paragraph 1, of course, does not make any mention of Certificate Transparency. All of these points are then summarised in a newly added section with the title "Cybersecurity precautionary measures":
1. Web-browsers shall not take any measures contrary to their obligations set out in Art 45, notably the requirement to recognise Qualified Certificates for Web Authentication, and to display the identity data provided in a user friendly manner.
2. By way of derogation to paragraph 1 and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates
3. Where measures are taken, web-browsers shall notify their concerns in writing without undue delay, jointly with a description of the measures taken to mitigate those concerns, to the Commission, the competent supervisory authority, the entity to whom the certificate was issued and to the qualified trust service provider that issued that certificate or set of certificates. Upon receipt of such a notification, the competent supervisory authority shall issue an acknowledgement of receipt to the web-browser in question.
4. The competent supervisory authority shall consider the issues raised in the notification in accordance with Article 17(3)(c). When the outcome of that investigation does not result in the withdrawal of the qualified status of the certificate(s), the supervisory authority shall inform the web-browser accordingly and request it to put an end to the precautionary measures referred to in paragraph 2.
The industry speaks out
It's not just me that thinks this is a bad idea though, of course, I'm just adding my voice to the chorus of other voices from across industry.
- Mozilla set up the Security Risk Ahead website with lots of details.
- The Chrome Security Team has called for change in Qualified certificates with qualified risks.
- You can head over to https://last-chance-for-eidas.org/ to read more about the risks.
- You can read our latest open letter with 400+ signatures so far. https://eidas-open-letter.org/
The thing that it will always come down to for me, and the thing that you can use to guide your decisions, is to look at the interests of the parties involved. I've long been critical of many CAs for shitty marketing and shady practises, and it seems that's continuing. The organisations and voices speaking out in support of QWACs and Article 45 are those that are going to be able to sell them for $$$ once this comes to pass. The organisations and voices speaking out against QWACs and Article 45 are those with an interest in preserving and improving the security of the ecosystem we've worked so hard to build. I have nothing to gain here by swaying your opinion, but you sure as hell have a lot to lose.
What do we do about it?
I'll quote the following snippet from the 'Last Chance' website:
If you’re a European citizen, you can write to the member of the European Parliament responsible for the eIDAS file - Romana JERKOVIĆ - and register your concern.
If you’re a cybersecurity expert, researcher or represent an NGO, consider signing the open letter at https://eidas-open-letter.org.
In truth, I don't know what else to do next, but I believe we have to do something. If these Qualified Trust Service Providers (QTSP is the name given to a CA that issues QWACs) are all they're cracked up to be, then why can't they just submit to the existing audit/approval process and pass with flying colours?.. That's not too much to ask, is it?
Additional information and reading
Timeline of Certificate Authority Failures - why Trust Store Operators need the ability to audit and remove Root CAs.
Mozilla website pushes serious eIDAS misinformation to political decision makers and public - The ESD (a group of CAs) produced this laughable document. It closes by pointing out that Google and Mozilla are "investors" in Let's Encrypt who are "in competition with all QTSPs" 😂 (a QTSP is a CA that issues QWACs)
Digital rights organisation epicenter.works had this to say about QWACs.
You should read what Alec Muffett has to say on eIDAS/QWACs.
This informative Tweet from Ryan Hurst is also a great start for info on the Internet PKI.
Update 19:10 UTC 7th Nov: The EFF have just published something on this, Article 45 Will Roll Back Web Security by 12 Years, and as you would expect, it's well written and makes a lot of sense!