Several internet companies and organizations, including Mozilla, Mullvad, Cloudflare and the Linux Foundation, are raising the alarm about the certificate plan that is part of the European digital identity. The plan represents a dangerous intervention in a system that is essential for securing the internet.
The criticism is aimed at the eIDAS 2.0 regulation, which stands for ‘Electronic Identities And Trust Services’. Part of the proposal, referred to as Articles 45 and 45a, requires browser vendors to accept Qualified Website Authentication Certificates (QWACs) issued by Qualified Trust Service Providers.
Qualified Trust Service Providers is another name for certificate authorities, the parties that issue TLS certificates used for identification and encrypted connections between websites and visitors. Currently, browsers only accept certificate authorities that adhere to different standards.
The European Commission wants to be able to force browser vendors to trust and add Qualified Trust Service Providers to their browsers, regardless of whether they meet the requirements that apply to other certificate authorities.
In addition, browser vendors have no option to remove QTSP’s that misbehave from the browser. According to experts, this could have major consequences for web security and the EU was therefore called on to change the certificate plan. Despite support from various committees for amending the text, the European Council still agreed to the controversial certificate plan.
“Articles 45 and 45a of the proposed eIDAS regulation are likely to weaken the security of the entire Internet,” said Bytecode Alliance, Cloudflare, DNS0.EU, Fastly, Internet Security Research Group, Linux Foundation, Mozilla, Mullvad, OpenSSF and Sigstore in a joint statement (pdf).
In addition to the aforementioned risks, there is also the possibility that users and companies outside Europe will use a separate list of certificate authorities, without the extra mandatory additions from the EU.
“This limits the security consequences of these changes to European citizens only, but could also lead to a fragmented web where some sites outside Europe are inaccessible,” the organizations warn.
They ask the European Parliament and the Member States not to agree to the two articles. The proposal will probably be voted on in late November or early December.
The dangers of the EU’s digital certificate plan
At first glance, the EU’s plan to standardize digital identity certificates across member states appears benign – a bureaucratic attempt to improve interoperability for digital signatures and online public services. However, I find the browser certificate integration extremely alarming.
This feels like a convenient pretext for expanding government surveillance powers. The recent Jabber intercept attempts by Germany also make me distrust claims this is just about linking citizens to government sites. Forcing browsers to add state-controlled certificate authorities represents a major threat to web security that no amount of public outreach can justify.
Proponents will insist this focuses on citizen authentication, not spying on web traffic. But the regulation text clearly references website domain names and legal entity details. This would enable compromise of the entire certificate system critical for website identity verification and encryption. Once in place, there is nothing to prevent the deployment of “man-in-the-middle” attacks as was the case with Jabber.
No amount of talk about standardization can paper over the glaring security impacts. This is a dangerous proposal that will undermine internet security both in Europe and worldwide. The opacity around recent changes made behind closed doors further breeds suspicion about the true motives. Major technical questions remain, but the core premise is deeply flawed.
Forcing browser acceptance of state-controlled certificates grants EU governments excessive new powers over web infrastructure. It is unconscionable for a Western government to make such a blatant internet power grab under the guise of digital administration.
