Qualified website authentication certificate

The EU trust mark for qualified trust services.

A qualified website authentication certificate (QWAC certificate) is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

A 2016 European Union Agency for Cybersecurity report proposed six strategies and twelve recommended actions as an escalated approach that targets the most important aspects viewed as critical for improving the website authentication market in Europe and successfully introducing qualified website authentication certificates as a means to increase transparency in this market.^[1]

QWAC in the context of other standards[]

There are different types of website authentication certificates: Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV). Another distinction that can be made among types of website authentication certificates relates to the number of domains that are secured by the certificate: Single domain, wildcard, multi domain. Extended Validation certificates offer the highest quality in terms of assurance of the identity of a certificate owner among existing types of certificate in the market.^{[according to whom?]} Typically the use of an EV certificate used to be indicated by a green color – but as of 2019 most major browsers are no longer indicating if certificates are EV.

The eIDAS regulations are an attempt to introduce a new parallel security approach relying on government certification of trust service providers (TSPs) alongside the existing multi-stakeholder Certificate authority (CA) system. Many stakeholders in the current system see flaws and risks in the approach, and warn that it would actually undermine the security of individuals and the web.^[2]^[3]

eIDAS Regulation[]

In the eIDAS Regulation trust services are defined as electronic services, normally provided by TSPs, which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication.^[4]^[5]

In essence, the eIDAS Regulation provides a framework to promote:^[6]

Transparency and accountability: well-defined minimal obligations for TSPs and liability.
Guarantee of trustworthiness of the services together with security requirements for TSPs.
Technological neutrality: avoiding requirements which could only be met by a specific technology.
Market rules and standardization certainty.

Content[]

Website authentication certificates are one of the five trust service defined in the eIDAS Regulation. Article 45 sets the requirement for trust service providers issuing qualified website authentication certificates of being qualified, which implies that all requirements for qualified trust service providers (QTSPs) described in the previous section will be applicable. Annex IV defines the content of qualified certificates for website authentication:^[5]

An indication that the certificate has been issued as a qualified certificate for website authentication.
A set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including the member state in which that provider is established and adequately to the situation
1. for a legal person: the name and, where applicable, registration number as stated in the official records,
2. for a natural person: the person’s name.
For natural persons: at least the name of the person to whom the certificate has been issued, or a pseudonym. If a pseudonym is used, it shall be clearly indicated. For legal persons: at least the name of the legal person to whom the certificate is issued and, where applicable, the registration number as stated in the official records.
Elements of the address, including at least city and state, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records.
The domain names operated by the natural or legal person to whom the certificate is issued.
Certificate’s period of validity.
The certificate identity code, which must be unique for the qualified trust service provider.
The advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider.
The location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point 8 is available free of charge.
The location of the certificate validity status services that can be used to enquire as to the validity status of the qualified certificate.

Criticism[]

Updates to eIDAS proposed In 2021 require browsers to provide new forms of assurance of website authenticity without specifying exactly how. They require web browsers like Chrome, Safari, and Firefox to incorporate a list of government-specified "Trusted Service Providers", and to accept and "displayed in a user friendly manner" the QWACs which those TSPs issue, despite a variety of trust, legal, technical and security concerns.^[3]^[2] The Internet Society and Mozilla say that requirements of the regulation require violating other requirements. They also assert that it would undermine technical neutrality and interoperability, undermine privacy for end users, and create dangerous security risks.^[7] They suggest instead continuing to build on the existing CA framework.

References[]

^ "Qualified Website Authentication Certificates". ENISA. May 16, 2016. Retrieved 2022-03-06.
^ ^a ^b "Experts urge EU not to force insecure certificates in web browsers". BleepingComputer. Retrieved 2022-03-06.
^ ^a ^b "Internet Impact Brief: Mandated Browser Root Certificates in the European Union's eIDAS Regulation on the Internet". Internet Society. 2021-11-08. Retrieved 2022-03-06.
^ Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
^ ^a ^b "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
^ Turner, Dawn M. "Trust Service Providers according to eIDAS". Cryptomathic. Retrieved 17 October 2017.
^ Mozilla (2020-10-01). "European Commission's Open Public Consultation on eIDAS - Attachment to Mozilla's Survey Response" (PDF).

[1] "Qualified Website Authentication Certificates". ENISA. May 16, 2016. Retrieved 2022-03-06.

[:0-2] "Experts urge EU not to force insecure certificates in web browsers". BleepingComputer. Retrieved 2022-03-06.

[:1-3] "Internet Impact Brief: Mandated Browser Root Certificates in the European Union's eIDAS Regulation on the Internet". Internet Society. 2021-11-08. Retrieved 2022-03-06.

[Tuner_Understanding_eIDAS-4] Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.

[eIDAS-EUR-Lex-5] "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.

[eIDAS-TrustServiceProviders-6] Turner, Dawn M. "Trust Service Providers according to eIDAS". Cryptomathic. Retrieved 17 October 2017.

[7] Mozilla (2020-10-01). "European Commission's Open Public Consultation on eIDAS - Attachment to Mozilla's Survey Response" (PDF).

[1]

[2]

[3]

[4]

[5]

[6]

[7]