EU's Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework

from the just-stop dept

The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, which, in theory, is supposed to do some useful things regarding interoperability and digital identities. This could be really useful in enabling more end user control over identity and information (a key part of my whole Protocols, Not Platforms concept). But the devil is in the details, and the details are a mess.

It would force browsers to support a specific kind of authentication certificate — Qualified Web Authentication Certificates (QWACs) — but as Mozilla points out, that would be disastrous for security:

At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired ? namely, extended validation certificates ? lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.

As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla?s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community?s ability to push back against authoritarian regimes? interference with fundamental rights (see here and here for two recent examples).

As Mozilla notes, the EU can still fix this. Whether or not it does is an open question.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EU's Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework”

Subscribe: RSS Leave a comment
Scary Devil Monastery (profile) says:

Crap like this...

…is why I’m leaning toward the EU not being sustainable. Too many inept morons with dunning-kruger in positions of authority to change stuff they don’t understand in order to cater to a vision of the world which wasn’t even true thirty years ago when they first learned that technology was a thing.

This is why we can’t have nice things. The village idiot gets to make decisions for the village.

ECA (profile) says:

Re: Re: Crap like this...

The EU is independent of the nations they are ???
Each nation in Europe had to supply 1-2 people to the EU to regulate things for each country.
Most of Europe has Problems with the Euro Union. 1 group deciding What the whole of these nations can and cant do, and they are being paid Good money, to do the same thing those In country are supposed to be doing.

Scary Devil Monastery (profile) says:

Re: Re: Crap like this...

"The european union might be slightly larger than your average village."

The extended metaphor – every nation sending its village idiots to govern the EU – doesn’t really make it better. An empire run entirely by the court jesters and the "touched" rounded up and exiled from the courts of the member states who all watch the plague of the land toddle off to Brussels while drawing sighs of relief.

Vikarti Anatra (profile) says:

Main issue from actual Mozilla's PDF

Unfortunately the 2021 regulatory proposal makes the risks associated with the QWAC framework much more dramatic, and will lead to a regression in the security assurances that users have come to expect from their browsers. This is because through Article 45.2, the legislative proposal, in effect, mandates that browsers automatically include Trust Service Providers (TSPs) in their browser root programs. ‘Trust Service Providers’ (TSPs), in this context, are essentially Certificate Authorities (CAs) that can issue QWACs under the eIDAS regime. These TSPs are notified by member states and as Mozilla has highlighted in the past, many of them do not meet the criteria required to also be included in our Root Store. By mandating that TSPs be supported by browsers in general, and in particular when they fail to meet the security and audit criteria of their root program, Article 45.2 will negatively transform the website security ecosystem in a fundamental way. This is outlined in the following subsection in more detail

As far as I understood this means that browser’s root stores must use CAs for ‘special’ https certificates from CAs which have nothing to do with being open and accountable to public. They also can be insecure.
Another possible is that this it would be more hard to found reason other than ‘we don’t trust your goverment’ to NOT accept Chinese’s (or Burmese( ) version of it).

All borwser

Anonymous Coward says:

Re: Main issue from actual Mozilla's PDF

Could a browser include such a TSP, allow it to issue a QWAC, and then just not do anything with it? Just continue relying on the certificates you actually trust, while the quack of a certificate that was forced on you gathers dust without affecting any of the browser’s behavior.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...