The organizations that build and secure the Internet are concerned about proposed EU regulations that aim to mandate that all Web browsers recognize a new form of certificate for the purposes of authenticating websites. To support Mozilla’s position on eIDAS regulation and the organization’s multi-year effort to avert a potential policy disaster for cryptography in Articles 45 and 45a of the proposed eIDAS provisions, OpenSSF has co-signed the Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation Those provisions are likely to weaken the security of the Internet as a whole.
In summary, the eIDAS proposal would potentially introduce root certificates that do not meet the established security standards and could lead to data compromise.
- The proposed changes are at the operating system (OS) level. From an end user device perspective, each device OS has a collection of trusted root certificates for establishing encrypted channels in order to protect data in transit. It’s a standard process for web traffic.
- The proposed changes may make future cryptographic improvements difficult in order to add more security to protect data in transit.
- The proposed changes introduce inconsistency into established standard processes across the globe on encrypting data in transit. This would lead to EU region services untrusted and not securely accessible.
For details, please refer to:
- Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation
- Last Chance to fix eIDAS
- EU Digital Identity framework (eIDAS) – November 2021 position paper on the European Commission’s legislative proposal to revise the eIDAS Regulation
- Can we agree on the facts about QWACs?
- Mozilla | QWACs
Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation
2 November 2023
Dear Members of the European Parliament,
Dear Member States of the Council of the European Union,
We represent companies that build and secure the Internet. Our organizations are either based in Europe or offer products and services in Europe.
We write to express our concern with the proposed eIDAS legislation. We appreciate efforts to use rulemaking to strengthen the security of the Internet and the leadership role that Europe has taken in fostering cross-border interoperability. However, leadership comes with a greater responsibility to consider the broader implications of changes.
Articles 45 and 45a of the proposed eIDAS provisions are likely to weaken the security of the Internet as a whole. These articles mandate that all Web browsers recognize a new form of certificate for the purposes of authenticating websites. The current language is imprecise, and this risks being interpreted as requiring that browsers recognize the certificate authorities that each EU member state appoints for the purposes of authenticating the domain name of websites.
The root store programs operated by Web browsers and operating systems are the core of Internet security. The certificate authorities recognized by these programs are responsible for attesting to the authenticity of domain names for websites. However, this is not the only system that depends on these certificates. Certificates provided by certificate authorities also secure global commerce in many ways, including email, voice and video, messaging, software delivery, and many other proprietary forms of communication used by businesses.
The current system works. Root store programs and certificate authorities have worked collaboratively in a joint body, the CA/Browser Forum, to develop baseline recommendations. These common rules ensure that trustworthy communication is possible at a global scale. People across the planet can trust that the operating systems or browsers they use can establish secure communications for Web browsing, apps, and other communications.
The current system is also delicate. Failure of any certificate authority has the potential to compromise communications with any website or service. The resilience of this system depends on multiple interdependent systems working together. The expertise and diligence of a diverse set of people is necessary to ensure that the system is robust and accountable. Intervention in this system therefore needs careful consideration and wide consultation.
The issues with Articles 45 and 45a of eIDAS are a result of mandating that browsers recognize entities nominated by European member states:
- Mandating recognition of entities that do not meet established standards for security, as defined by the CA/Browser Forum.
Article 45 potentially mandates the recognition of certificate authorities that have been denied inclusion in root store programs and those that have been removed after repeated failures to follow best practices in their operations.
- Browsers are forbidden from specifying additional conditions for certificate authorities.
All requirements will be specified by the nominated European Standards Organization: European Telecommunications Standards Institute (ETSI). Under Article 45 clause 2a, only conditions listed in these specifications can be required.
This means that root stores cannot apply policies that have been effective in the past, like requiring the use of Certificate Transparency to improve accountability, without permission. Similarly, changes in response to evolving needs, like the need to respond to the possibility of a cryptographically-relevant quantum computer, would need to be developed by ETSI rather than a body that has demonstrated competence in this area.
A root store is permitted to temporarily remove a certificate authority under Article 45a. However, a supervisory authority can also mandate that the certificate authority be restored.
- These changes have adverse extraterritorial effects.
Certificate authorities listed by member states will be recognized across the entire union. An error of judgment or deliberate action by one member state will affect citizens in all other member states.
Users and companies outside of Europe may opt to use a separate list of certificate authorities without the additional entries required inside the EU. This would limit the adverse security effects of these changes to European citizens, but could lead to a fragmented Web where some sites are inaccessible outside of Europe.
In summary, the undersigned believe that eIDAS Article 45 and 45a represent a dangerous intervention in a system that is essential to securing the Internet. We request that the EU Parliament and Members reconsider this action.
(in alphabetical order)
Internet Security Research Group
Linux Foundation Europe