On Fri, 15 Jul 2022 17:20:38 -0700 (PDT) Kirk Hall <[email protected]> wrote:
> Mozilla, on behalf of the browsers Where do you see this? In what way is Mozilla acting "on behalf of the [other?] browsers" rather than as itself ? > QWACs > are similar to Extended Validation (EV) Certificates (they strongly > identify the owner of a website through the TLS encryption > certificate), but with additional security safeguards for consumers. EV existed because the for-profit CAs wanted a hook to get more money. EV certificates were not designed to (and did not) achieve what you seem to have imagined. This lack of technical knowledge is a bad sign. The way HTTP transactions work, the certificate you're seeing displayed when you look at a web page will sometimes (in some cases often) not be the same certificate provided when sending your data to the web site. > QWACs are only issued by Qualified Trust Service Providers (QTSPs), > which are Certification Authorities (CAs) established in the EU who > must follow ALL of the SAME CA/Browser Forum requirements as every > other CA in the world (including those browsers who are also CAs, > such as Google). In practice what matters is public oversight, and not a hierarchy of abbreviations. That word "Qualified" has a bad history in this context. > QTSPs must follow additional ETSI technical > standards not applicable to other CAs, and are continuously monitored > by their ETSI auditors. The proof of the pudding is in the eating. Right now there is no history to suggest this is effective compared to existing policies. > Finally, QTSPs and their trust services must also be approved by a > national supervisory body before they can be listed on the EU Trust > List and offer services like QWACs to the EU public. > https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home At best this doesn't help, at worst it actively hinders. > Why does the EU want these changes to existing eIDAS Article 45? The > EU is strongly committed to its own “digital sovereignty” to protect > EU consumers, and is no longer willing to allow US big tech companies > to dictate all the rules of the internet based their own subjective > judgment and commercial interests. The EU has asked browsers > (including Mozilla) to work with it on these issues since 2015, but > the browsers have never been willing to cooperate. Understandably nobody wants to make stuff worse just in order to satisfy EU politicians, especially when of course the blame will all be placed on the browsers when things go wrong. If the EU would like "digital sovereignty" through controlling how web browsers work perhaps it should spend the eye-watering sum of money needed to write similarly good web browsers and offer them to EU citizens? > The 2022 changes to eIDAS Article 45 is the result of this lack of > browser cooperation over the years, and the grossly misleading > website set up Mozilla is just a part of a massive lobbying effort by > the browsers to turn the EU Parliament against the proposals of its > own EU Commission. Misleading, and very disappointing. As somebody with more than a little actual knowledge in this area, I disagree, the site seems to summarise real problems with this eIDAS article as currently written. > (1) The EU wants browsers who distribute their software in the EU to > bring back a common identity UI (like the one they showed to users > for QWAC and EV certificates until 2019, when they arbitrarily > removed the identity UI) so consumers can know “who they are dealing > with” when they provide their personal data (password, credit card > number) to a website. EU consumers actually already have a “right to > know” who they are dealing with under GDPR and two other EU laws > before they provide websites with their personal data. The browsers > are not respecting this legal right in their current UIs. The "right to know" does not translate to an obligation on third parties as you've suggested here. If it did then telecoms companies would be obliged to prefix incoming calls with detailed information about who is calling you, just in case you were to answer any questions on that call. Instead - as a consumer would expect - the web site is responsible for informing them as to who they are dealing with, just as a caller would be responsible on the telephone. Furthermore, the UI "they showed to users for QWAC and EV certificates" is considered actively misleading, which is one reason it was deprecated and shouldn't be brought back. It is not surprising that for-profit entities would seek to have the EU write policy that increases revenue for them, but really you'd hope that politicians would be a bit sharper in figuring out the motivation. That's what EV was about, and that's what this special treatment for QWAC is about too. The CA does the same work, but they persuade subscribers now it's worth more money because they were able to have the browser show a different UI. Technically, what you're asking (and indeed what the eIDAS documents seem to imagine getting) is not possible. Into the gap between what they imagine and what is actually possible falls every consumer who is victimised by criminals as a result. Does the revised eIDAS article contain funding to compensate those victims ? It seems not. > (2) In addition, the EU wants to establish its own “digital > sovereignty” for EU citizens through its own EU Trust List for trust > service providers – and it does not want US big tech browsers to have > the unilateral subjective right to distrust a QTSP based on the > browser’s own whim, without applying public and objective standards > and a without granting any right to appeal and obtain review of a > browser decision by a trusted technical body such as ENISA. For this > reason, revised Article 45 requires browsers who distribute their > software in the EU to “recognize” QWACs – that’s all. The real world effect of this proposal is that there would be more victims. EU member states have not proved to be very good in the role you imagine for them. I suggest reading about DigiNotar. Likewise a "right to appeal" has the same problem in this context as it would for arresting a violent criminal. The Dutch government claimed to believe its own services (operated by DigiNotar) were unaffected (they were actually compromised too), and it fought in its own courts (against Dutch journalists) to suppress internal documents showing DigiNotar was completely compromised and its oversight had been inadequate. Public oversight is what's needed, and that's what we do around here, it's why m.d.s.policy is not a private forum for Mozilla's employees, but instead a public discussion by the community of users, which in effect is everybody in our increasingly connected world. eIDAS revisions seek to subvert that, replacing the oversight and judgement of the Relying Parties (everybody) with the lack of oversight from EU member states who've got other priorities. > eIDAS 2 - Recital (32): Website authentication services provide users > with assurance that there is a genuine and legitimate entity standing > behind the website. Those services contribute to the building of > trust and confidence in conducting business online, as users will > have confidence in a website that has been authenticated. This is a bad regulation. It could have been written by people who don't understand the technology they're trying to regulate, but alas I suspect instead it was written by people who understand perfectly well that technology but are focused on how best to increase the revenue of their for-profit company by manipulating politicians. The thing we know how to actually do, we are already doing. The DNS name in the URL bar is, in fact, the DNS name of the site you're visiting. If the EU wants that to reflect a "genuine and legitimate entity" it is welcome to use the entire TLD it has (.eu) to enforce such rules for DNS names. I should warn you that similar ideas in the UK were... not whole-heartedly embraced, the ltd.uk and plc.uk second level domains are not very popular. Trying to leverage the X.509 Common Name field to do something else, as EV is purported to do and as it appears QWACs want to attempt, will not have the desired effect except in the sense that the "desired effect" for some of these QTSPs would be to increase their revenue. Nick. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220716035250.5fce6d26%40totoro.tlrmx.org.
