On Fri, Jul 15, 2022 at 5:20 PM Kirk Hall <[email protected]> wrote: > > I agree with Dimitris’ disappointment with Mozilla for setting up such a > misleading website – this is harmful to Mozilla’s reputation.
Why shouldn't Mozilla lobby about a law that would dramatically affect the Web PKI and its future? > > Mozilla, on behalf of the browsers, is lobbying against legislation now > before the EU Parliament intended to amend various parts of the 2014 eIDAS > statute (“electronic IDentification, Authentication and trust Services” in > the European Union). The legislation covers many subjects, but Mozilla’s > attacks are on the updates to Article 45 covering Qualified Web > Authentication Certificates (QWACs). QWACs are similar to Extended > Validation (EV) Certificates (they strongly identify the owner of a website > through the TLS encryption certificate), but with additional security > safeguards for consumers. > > QWACs are only issued by Qualified Trust Service Providers (QTSPs), which are > Certification Authorities (CAs) established in the EU who must follow ALL of > the SAME CA/Browser Forum requirements as every other CA in the world > (including those browsers who are also CAs, such as Google). QTSPs must > follow additional ETSI technical standards not applicable to other CAs, and > are continuously monitored by their ETSI auditors. > > Finally, QTSPs and their trust services must also be approved by a national > supervisory body before they can be listed on the EU Trust List and offer > services like QWACs to the EU public. > https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home > > Why does the EU want these changes to existing eIDAS Article 45? The EU is > strongly committed to its own “digital sovereignty” to protect EU consumers, > and is no longer willing to allow US big tech companies to dictate all the > rules of the internet based their own subjective judgment and commercial > interests. The EU has asked browsers (including Mozilla) to work with it on > these issues since 2015, but the browsers have never been willing to > cooperate. > > The 2022 changes to eIDAS Article 45 is the result of this lack of browser > cooperation over the years, and the grossly misleading website set up Mozilla > is just a part of a massive lobbying effort by the browsers to turn the EU > Parliament against the proposals of its own EU Commission. Misleading, and > very disappointing. The Commission is not part of the Parliament: it is intergovernmental and the Parliament is not. > > The eIDAS 2 Article 45 legislation includes two main changes to existing EU > law on QWACs: > > (1) The EU wants browsers who distribute their software in the EU to bring > back a common identity UI (like the one they showed to users for QWAC and EV > certificates until 2019, when they arbitrarily removed the identity UI) so > consumers can know “who they are dealing with” when they provide their > personal data (password, credit card number) to a website. EU consumers > actually already have a “right to know” who they are dealing with under GDPR > and two other EU laws before they provide websites with their personal data. > The browsers are not respecting this legal right in their current UIs. There has been much research behind the removal of EV. It wasn't adding value to protecting users, because there is no global notion of corporate identity, and that's not how domains work and that's not how companies work. The EU seems to have ignored all of this. > > (2) In addition, the EU wants to establish its own “digital sovereignty” for > EU citizens through its own EU Trust List for trust service providers – and > it does not want US big tech browsers to have the unilateral subjective right > to distrust a QTSP based on the browser’s own whim, without applying public > and objective standards and a without granting any right to appeal and obtain > review of a browser decision by a trusted technical body such as ENISA. For > this reason, revised Article 45 requires browsers who distribute their > software in the EU to “recognize” QWACs – that’s all. Root programs have never been entitlements, and it isn't a technical decision. Browsers need to be able to improve the CA ecosystem, as Google did by creating certificate transparency and requiring CAs to use it. It wasn't a CA/B forum requirement until long after, and some CAs got told they had to use it first. Enshrining a least common denominator into law, and then prohibiting browsers from adding additional restrictions means that the Web PKI ecosystem will shift power from browsers to CAs, who are unmotivated to improve things and who get to lobby politicians. How does the Web PKI evolve in that world? That's ignoring the impacts to internet anonymity and access that the QWACs create. There's also the multistakeholder governance model to consider. Creating national legislation to require the Internet work a certain way breaks that governance model, and makes it much, much harder to stand up to the next Kazakhstan. Multistakeholder governance and the lack of Internet police has had its issues, but it has meant that continued innovation is possible even if it causes a great deal of losses to a good many entrenched interests. The same cannot be said for EU lobbying. Sincerely, Watson Ladd -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ck9naEq7ByGsNNsRNUgDnqmzix5X619RaAj7gtT0%2B2mOQ%40mail.gmail.com.
