Twelve web community leaders sent a letter to members of the European Parliament and representatives of the Council of the European Union to express their concerns regarding the security of revised Article 45 of the Draft Legislative Proposal on Digital Identity (e-ID).
The European Commission’s legislative proposal to amend the Regulations on Digital Identification, Authentication and Trust Services (eIDAS), which dates back to 2014 and aims to secure cross-border identity exchange, is facing resistance from the web community – particularly in relation to Article 45.
The legal listing of selected European companies is called “CAsIn web browsers, root software poses serious threats and vulnerabilities to web security, the signers say.
Under the revised Article 45, browsers will be forced to accept the Qualified Web Authentication Certificate Scheme (Qualified web certificatesQWAC) from CAs, whether or not they meet browser security standards.
“Unfortunately, this technical requirement is problematic, as security teams need to respond at the pace of evolving cybersecurity threats and incidents, and not be stifled by legislative text that would impede this speed of reaction.” reads the letter sent on Wednesday (April 6).
The letter was signed by prominent online players such as Vint Cerf, Internet pioneer and former CEO ofInternet Corporation for Assigned Names and Numbers(Ikan) – theThe US body responsible for managing the Internet’s domain name system – and Andrew Sullivan, President and CEO ofInternet Society.
Web authentication is the mechanism that ensures that users visit the website they want to visit and are not directed to entities impersonating that website.
To do this, users receive a certificate confirming that they are visiting the website they intend to visit. Certification authorities are third parties, appointed by the governments of the European Union, who issue these certificates to websites.
“So it’s a very powerful tool, because if you issue that certificate incorrectly, it means that a malicious entity can impersonate the website you’re trying to visit.”Marshall Irwin, Mozilla’s head of trust intelligence, told EURACTIV.
Therefore CAs must be trusted and function properly.
A critical issue in the bill concerns the manner and security standards by which these certificates should be awarded. The proposal would allow certification authorities that issue certain types of certificates, which are QWACs, to be recognized by browsers, regardless of what security standards they apply.
The idea of QWACs was established by law in 2014. They ensure that the testimonials will include additional information, not only about the domain the person is visiting, but also about the legal entity behind it.
According to various sources, including Electronic Frontier FoundationQWACs required a problem because they were Refuting it as an effective means of delivering security to users.
So far, browsers first make sure that the CAs meet their standards, says Irwin. However, the idea behind the current proposal is that “It would create a parallel process in which individual countries decide based on an undefined set of criteria”, He said. And Mozilla, for example, will have to accept this CA.
“Essentially, these are government authorized certification bodies that we will be required to recognize.”Mr. Irwin explained.
This European legislation could set a dangerous precedent elsewhere. “I think our biggest concern is that other repressive regimes or other major powers are basically following and taking the same approach.”he completed.
For example, governments such as the United Arab Emirates or Kazakhstan have already actively sought to undermine web authentication. “Pass legislation requiring browsers to provide intermediate capability by accepting CAs that do not meet our standards”Mr. Irwin explained.
We have succeeded in reversing this situation at the global level. But our ability to do so will really be undermined by the time the precedent is set. »
Not only would this set a worrying precedent, but Google’s director of data governance, Kate Charlett, told EURACTIV.“It will actively expose citizens to increased digital risks at a time when protection is more difficult – and more important – than ever before.”.
Like the signatories to the letter, Ms. Sharlet does not believe that regulatory frameworks should have the effect of preventing organizations from protecting their users from cybercrime and evolving threats.
The case has been referred to the Committee on Industry, Research and Energy (ITRE) of the European Parliament. Rapporteur Romana Zirkovic said a committee vote on the draft proposal was expected in July.