What the QWAC?!

By admin

Almost 2 years
DATE

on from the last time I wrote about QWACs, I’m sadly not here to tell you that things have gone well since then. In fact, I’m actually here to tell you that things are not going well at all…

QWAC

Back in

Jan 2022
DATE

, I wrote a blog post that went into details on what a QWAC, or Qualified Website Authentication Certificate, actually is: If it looks like a duck, swims like a duck, and QWACs like a duck, then it’s probably an

EV
ORG

Certificate

TLDR; It’s an

EV
ORG


Certificate
PRODUCT

all over again 🤷‍♂️

In all seriousness though, that’s actually quite a long and detailed post about the shortcomings of a QWAC and why they’re just a terrible, terrible idea. They’re only being pushed by organisations that would make

$$$
MONEY

selling them (funny that) and it’s like the entire mess of

EV
ORG

has been conveniently forgotten. I’m not here to re-tread the same ground, though, I’m here to talk about something even more concerning. You might think "ok, so we have a new type of pointless certificate available", and if that were the case, I wouldn’t be writing about it again and we could all just not buy them. The problem is that there’s something bigger lurking that really concerns me.

My Concerns

This isn’t all just talk for me, having dedicated a huge portion of my life to working in this industry and being so passionate about it, this worries me. It worries me enough that I’ve signed multiple open letters speaking out against this, with the most recent just

a few days ago
DATE

, and I’ve even travelled to

Brussels
GPE

to sit alongside Member of

European
NORP

Parliament

Karen Melchior
PERSON

, and other industry representatives, to speak against this. I have absolutely no skin in this game,

one
CARDINAL

way or another, but I’ve seen something that I believe is just fundamentally wrong, and I feel compelled to speak out against it.

eIDAS

Article 45
LAW

– latest recitals

As we come towards the end of the legal process, we’re closing in on the final revisions and final draft of some new regulation coming to the

EU
ORG

called eIDAS. This new regulation contains many things, and it’s

only one
CARDINAL

small part of it that I fundamentally oppose, but it will have Global impact, far beyond the borders of any member state of the

EU
ORG

.

Alongside introducing the concept of a QWAC, discussed in my previous blog post, eIDAS is also going to introduce some very concerning requirements that affect the Internet PKI. At the top of my list of concerns is that browser and client vendors (

Root Store Operators
ORG

) will have a legal obligation to add Government mandated

Root Certificate Authorities
ORG

to their

Root Stores
ORG

, bypassing existing approval mechanisms.

Yep, you read that right. Government mandated

Root Certificate Authorities
ORG

I could end this blog post right here because anyone reading this will understand the significance of such a statement, and just how much of a catastrophically bad idea that is, but it gets worse. There will also be restrictions placed on

Root Store Operators
ORG

around handling incidents at those Root CAs and possibly removing trust in them for wrongdoing. I cannot stress this enough so I’m going to say it again, this is a terrible idea.

How it works now

The system that we have now is not perfect, by any stretch of the imagination, but it has been improved so much over

the years
DATE

with tireless work from the industry, that where we are now, finally, is a good place.

A browser or device vendor like

Apple
ORG

has a collection of

Trusted Root Certificate Authorities
ORG

that their devices will trust, and in turn, those devices will trust any certificates issued by those Trusted Root CAs. If you want to join this collection of

Trusted Root CAs
ORG

, you have to apply to join

the Apple Root Certificate Program
ORG

and pass some very strict requirements. Of course, this makes sense, because being

a Trusted Root CA
ORG

is a massive responsibility that gives you an enormous amount of power, and

Apple
ORG

want to make sure that their customers aren’t going to come to any harm because of your actions. The same goes for all such

Root Store Operators
ORG

like

Mozilla
ORG

,

Chrome
ORG

,

Microsoft
ORG

and many others that operate

Trusted Root Programs
ORG

for their own devices or software. It is in the interest of the software/device vendor to make sure that a

Root CA
GPE

is capable of operating properly because if not, all of that vendor’s customers are at serious risk of having their traffic intercepted and decrypted. So, for

Apple
ORG

, their concern is that if a Root CA makes a mistake, the potential outcome is that everyone using an

iPhone
ORG

could have the security of all of their traffic compromised! That’s a serious risk, and it’s why organisations like

Apple
ORG

take the process of approving Trusted Root CAs so damn seriously.

This is the existing approval mechanism that will be bypassed by this new legislation and

the Root Store Operators
ORG

will be required to accept these

European Root
NORP

CAs without the ability to scrutinise them, or, reject their inclusion.

How it’s going to work

I have access to the near-final text of the regulation, which is not yet public, but was leaked to me by a confidential source. I’ve been looking through the proposed changes and I still see all of the things that have concerned me throughout this entire process. Here are a few snippets from the

hundreds
CARDINAL

of pages that I’ve read through that still demonstrate my concerns. These snippets outline the definition of a QWAC and that they must be held against the standards set out in the legislation:

‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in

Annex IV
LAW

;

Qualified certificates for website authentication shall meet the requirements laid down in

Annex IV
LAW

.

Evaluation of compliance with those requirements shall be carried out in accordance with the standards and the specifications referred to in paragraph

3
CARDINAL

.

But if that isn’t clear enough for you, the legislation goes on to say:

Qualified certificates for website authentication issued in accordance with paragraph

1
CARDINAL

shall be recognised by web-browsers. Web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph

1
CARDINAL

That’s pretty clear, and we can still see the same concerns I raised previously about the legislation controlling not only support for, and use of,

the Government Mandated Root CAs
LAW

, but even control over the

UI
ORG

of the browser itself. It goes on:

National trusted lists should confirm the qualified status of website authentication services and of their trust service providers, including their full compliance with the requirements of this Regulation with regards to the issuance of qualified certificates for website authentication. Recognition of QWACs means that the providers of web-browsers should not deny the authenticity of qualified certificates for website authentication attesting the link between the website domain name and the natural or legal person to whom the certificate is issued and confirming the identity of that person. Providers of web-browsers should display in a user-friendly manner the certified identity data and the other attested attributes to the end-user, in the browser environment, by relying on technical implementations of their choice. To that end, providers of web-browsers should ensure support and interoperability with qualified certificates for website authentication issued in full compliance with the requirement of this Regulation.

Again, pressing this idea of a list of

Trusted Root CAs
ORG

that the client vendors must accept and "should not deny the authenticity of". Then, with regards to limiting the ability of a

Root Store Operator
ORG

to audit the behaviour of a Trusted Root CA on an ongoing basis:

In order to contribute to the online security of end-users, providers of web-browsers should be able to take measures, in exceptional circumstances, that are both necessary and proportionate in reaction to substantiated concerns on breaches of security or loss of integrity of an identified certificate or set of certificates. In this case, while taking any such precautionary measures, web browsers should notify without undue delay the national supervisory body and the Commission, the entity to whom the certificate was issued and the qualified trust service provider that issued that certificate or set of certificates of any such concern of a security breach as well as the measures taken relating to a single certificate or a set of certificates. These measures, should be without prejudice to the obligation of the browsers to recognize qualified website authentication certificates in accordance with the national trusted lists.

Then, just to make sure we don’t have any tremendously beneficial technologies like Certificate Transparency protecting us, it is clarified that:

Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph

1
CARDINAL

.

Paragraph 1, of course, does not make any mention of Certificate Transparency. All of these points are then summarised in a newly added section with the title "Cybersecurity precautionary measures":


1
CARDINAL

. Web-browsers shall not take any measures contrary to their obligations set out in

Art 45
DATE

, notably the requirement to recognise Qualified Certificates for Web Authentication, and to display the identity data provided in a user friendly manner.


2
CARDINAL

. By way of derogation to paragraph

1
CARDINAL

and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates


3
CARDINAL

. Where measures are taken, web-browsers shall notify their concerns in writing without undue delay, jointly with a description of the measures taken to mitigate those concerns, to the Commission, the competent supervisory authority, the entity to whom the certificate was issued and to the qualified trust service provider that issued that certificate or set of certificates. Upon receipt of such a notification, the competent supervisory authority shall issue an acknowledgement of receipt to the web-browser in question.


4
CARDINAL

. The competent supervisory authority shall consider the issues raised in the notification in accordance with

Article 17(3)(c
LAW

). When the outcome of that investigation does not result in the withdrawal of the qualified status of the certificate(s), the supervisory authority shall inform the web-browser accordingly and request it to put an end to the precautionary measures referred to in paragraph

2
CARDINAL

.

The industry speaks out

It’s not just me that thinks this is a bad idea though, of course, I’m just adding my voice to the chorus of other voices from across industry.


Mozilla
ORG

set up

the Security Risk Ahead
ORG

website with lots of details.

The Chrome Security Team
ORG

has called for change in Qualified certificates with qualified risks. You can head over to

https://last-chance-for-eidas.org/
LOC

to read more about the risks. You can read our latest open letter with

400
CARDINAL

+ signatures so far. https://eidas-open-letter.org/

The thing that it will always come down to for me, and the thing that you can use to guide your decisions, is to look at the interests of the parties involved. I’ve long been critical of many CAs for shitty marketing and shady practises, and it seems that’s continuing. The organisations and voices speaking out in support of QWACs and

Article 45
LAW

are those that are going to be able to sell them for

$$$
MONEY

once this comes to pass. The organisations and voices speaking out against QWACs and

Article 45
LAW

are those with an interest in preserving and improving the security of the ecosystem we’ve worked so hard to build. I have nothing to gain here by swaying your opinion, but you sure as hell have a lot to lose.

What do we do about it?

I’ll quote the following snippet from the ‘

Last Chance’
WORK_OF_ART

website:

If you’re a

European
NORP

citizen, you can write to the member of

the European Parliament
ORG

responsible for the eIDAS file – Romana

JERKOVIĆ
NORP

– and register your concern.

If you’re a cybersecurity expert, researcher or represent an

NGO
ORG

, consider signing the open letter at https://eidas-open-letter.org.

In truth, I don’t know what else to do next, but I believe we have to do something. If these Qualified Trust Service Providers (

QTSP
GPE

is the name given to a

CA
GPE

that issues QWACs) are all they’re cracked up to be, then why can’t they just submit to the existing audit/approval process and pass with flying colours?.. That’s not too much to ask, is it?

Additional information and reading


Timeline of Certificate Authority
WORK_OF_ART

Failures – why

Trust Store Operators
ORG

need the ability to audit and remove Root CAs.


Mozilla
ORG

website pushes serious eIDAS misinformation to political decision makers and public – The

ESD
ORG

(a group of

CAs
ORG

) produced this laughable document. It closes by pointing out that

Google
ORG

and

Mozilla
ORG

are "investors" in Let’s Encrypt who are "in competition with all QTSPs" 😂 (a

QTSP
GPE

is a

CA
GPE

that issues QWACs)


Digital
ORG

rights organisation epicenter.works had this to say about QWACs.

You should read what

Alec Muffett
PERSON

has to say on eIDAS/QWACs.

This informative

Tweet
PERSON

from

Ryan Hurst
PERSON

is also a great start for info on the Internet PKI.

Update 19:10 UTC

7th
ORDINAL

Nov: The

EFF
ORG

have just published something on this,

Article 45 Will Roll Back Web Security
LAW

by

12 Years
DATE

, and as you would expect, it’s well written and makes a lot of sense!