Organisations and companies representing the global tech sector are warning that a regulation adopted by the European Union will undermine security and trust in browsers worldwide, enable state-sponsored web traffic interception, and would be extra-territorial.
The EU proposal, Article 45 of Electronic Identification, Authentication and Trust Services (eIDAS) version 2, mandates Qualified Web Authentication Certificates (QWACs) and has caused an escalating row between the EU and the mostly North American tech sector.
At issue is whether the proposed regulation’s requirement that all browsers use QWACs to “ensure that the identity data provided using any of the methods is displayed in a user-friendly manner” is harmful to the existing Certificate Authority ecosystem.
Various organisations – including Mozilla, Google, Cloudflare, the Linux Foundation and the Internet Society – are warning that if the wording of Article 45 remains unchanged, it would ultimately require all browsers to carry an EU-mandated list of trusted root Certificate Authorities (CAs).
The accusation, put forward in this Mozilla-backed open letter [pdf], is that the regulation in its current wording would force mandated certificates and cryptographic keys on browsers, allowing malicious governments to intercept traffic.
“The current language is imprecise, and risks being interpreted as requiring that browsers recognise the certificate authorities that each EU member state appoints for the purposes of authenticating the domain name of websites,” the letter stated.
“Certificates provided by certificate authorities also secure global commerce in many ways, including email, voice and video, messaging, software delivery, and many other proprietary forms of communication ..
Support the originator by clicking the read the rest link below.
