A qualified website authentication certificate (QWAC certificate) is a

qualified digital certificate In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity ...

under the trust services defined in the

European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...

eIDAS eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 o ...

Regulation. A 2016

European Union Agency for Cybersecurity The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece an ...

report proposed six strategies and twelve recommended actions as an escalated approach that targets the most important aspects viewed as critical for improving the website authentication market in Europe and successfully introducing qualified website authentication certificates as a means to increase transparency in this market.

QWAC in the context of other standards

There are different types of website authentication certificates, which is distinguished by the content contained within the Subject of the certificate: Domain Validated (DV), Organization Validated (OV) and

Extended Validation An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as ...

(EV). Another distinction that can be made is the number of domains that are secured by the certificate: Single domain,

wildcard Wild card most commonly refers to: * Wild card (cards), a playing card that substitutes for any other card in card games * Wild card (sports), a tournament or playoff place awarded to an individual or team that has not qualified through normal pla ...

, multi domain. Extended Validation certificates have a distinct set of issuance policies, requiring an enhanced level of certificate subscriber identity verification as prescribed by the CA/Browser Forum, thus they have the highest level of identity assurance of all TLS certificates in the marketplace. The EV certificate was distinguished in the browser by the presence of a green address bar, green text, and presence of legal business name in URL depending on which browser was used. Research conducted by Google and UC Berkeley identified that users didn't notably alter behavior based on the presence or absence of these indicators. The results of this research motivated Google, which commanded significant browser market share, to discontinue differentiation between the different certificate types. The EU approached the CABF in 2018 requesting to partner on updating existing EV requirements to include additional Subject information within the EV certificate. Google, followed by other browsers, was already in the process of deprecating EV indication and discouraged the EU from using EV certificates. As of 2019 most major browsers no longer have strong indication of EV certificates. Most financial institutions both in the EU and US continue to use EV certificates. With the reluctance of browsers to modify existing EV requirements to accommodate new eIDAS identifying information, eIDAS regulators began introducing a new parallel security structure relying on government certification of trust service providers (TSPs). This would exist alongside the existing multi-stakeholder

Certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This ...

(CA) system. The parallel security structure gives concern to industry stakeholders who have identified risks in the approach, mostly around government mandated CA governance, and raised concerns that implementation would undermine the privacy of individuals on the web.

eIDAS Regulation

In the eIDAS Regulation trust services are defined as electronic services, normally provided by TSPs, which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. In essence, the eIDAS Regulation provides a framework to promote: * Transparency and accountability: well-defined minimal obligations for TSPs and liability. * Guarantee of trustworthiness of the services together with security requirements for TSPs. * Technological neutrality: avoiding requirements which could only be met by a specific technology. * Market rules and standardization certainty.

Content

Website authentication certificates are one of the five trust services defined in the eIDAS Regulation. Article 45 sets the requirement for trust service providers issuing qualified website authentication certificates of being qualified, which implies that all requirements for

qualified trust service provider A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are q ...

s (QTSPs) described in the previous section will be applicable. Annex IV defines the content of qualified certificates for website authentication:

Criticism

Updates to eIDAS proposed in 2021 require browsers to provide new forms of assurance of website authenticity without specifying exactly how. They require web browsers like Chrome,

Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an importa ...

, and

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...

to incorporate a list of government-specified "Trusted Service Providers", and to accept and "displayed in a user friendly manner" the QWACs which those TSPs issue, despite a variety of trust, legal, technical and security concerns. The

Internet Society The Internet Society (ISOC) is an American nonprofit advocacy organization founded in 1992 with local chapters around the world. Its mission is "to promote the open development, evolution, and use of the Internet for the benefit of all people ...

and

Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, wi ...

say that requirements of the regulation require violating other requirements. They also assert that it would undermine technical neutrality and interoperability, undermine privacy for end users, and create dangerous security risks. They suggest instead continuing to build on the existing CA framework.

References

{{Reflist Key management E-commerce in the European Union Public key infrastructure Transport Layer Security 2016 introductions European Union regulations Authentication methods Computer law Cryptography standards