Qualified website authentication certificate

Last updated
The EU trust mark for qualified trust services. EU trust mark logo eIDAS.png
The EU trust mark for qualified trust services.

A qualified website authentication certificate (QWAC certificate) is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

Contents

A 2016 European Union Agency for Cybersecurity report proposed six strategies and twelve recommended actions as an escalated approach that targets the most important aspects viewed as critical for improving the website authentication market in Europe and successfully introducing qualified website authentication certificates as a means to increase transparency in this market. [1]

QWAC in the context of other standards

There are different types of website authentication certificates, which is distinguished by the content contained within the Subject of the certificate: Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV). Another distinction that can be made is the number of domains that are secured by the certificate: Single domain, wildcard, multi domain. Extended Validation certificates have a distinct set of issuance policies, requiring an enhanced level of certificate subscriber identity verification as prescribed by the CA/Browser Forum, thus they have the highest level of identity assurance of all TLS certificates in the marketplace. "EV TLS Certificate Requirements". CABF. 31 August 2013. The EV certificate was distinguished in the browser by the presence of a green address bar, green text, and presence of legal business name in URL depending on which browser was used. Research conducted by Google and UC Berkeley [2] identified that users didn't notably alter behavior based on the presence or absence of these indicators. The results of this research motivated Google, which commanded significant browser market share, [3] to discontinue differentiation between the different certificate types. The EU approached the CABF in 2018 requesting to partner on updating existing EV requirements to include additional Subject information within the EV certificate. Google, followed by other browsers, was already in the process of deprecating EV indication and discouraged the EU from using EV certificates. As of 2019 most major browsers no longer have strong indication of EV certificates. Most financial institutions both in the EU and US continue to use EV certificates.[ citation needed ]

With the reluctance of browsers to modify existing EV requirements to accommodate new eIDAS identifying information, eIDAS regulators began introducing a new parallel security structure relying on government certification of trust service providers (TSPs). This would exist alongside the existing multi-stakeholder Certificate authority (CA) system. The parallel security structure gives concern to industry stakeholders who have identified risks in the approach, mostly around government mandated CA governance, and raised concerns that implementation would undermine the privacy of individuals on the web. [4] [5]

eIDAS Regulation

In the eIDAS Regulation trust services are defined as electronic services, normally provided by TSPs, which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. [6] [7]

In essence, the eIDAS Regulation provides a framework to promote: [8]

Content

Website authentication certificates are one of the five trust services defined in the eIDAS Regulation. Article 45 sets the requirement for trust service providers issuing qualified website authentication certificates of being qualified, which implies that all requirements for qualified trust service providers (QTSPs) described in the previous section will be applicable. Annex IV defines the content of qualified certificates for website authentication: [7]

  1. An indication that the certificate has been issued as a qualified certificate for website authentication.
  2. A set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including the member state in which that provider is established and adequately to the situation
    1. for a legal person: the name and, where applicable, registration number as stated in the official records,
    2. for a natural person: the person’s name.
  3. For natural persons: at least the name of the person to whom the certificate has been issued, or a pseudonym. If a pseudonym is used, it shall be clearly indicated. For legal persons: at least the name of the legal person to whom the certificate is issued and, where applicable, the registration number as stated in the official records.
  4. Elements of the address, including at least city and state, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records.
  5. The domain names operated by the natural or legal person to whom the certificate is issued.
  6. Certificate’s period of validity.
  7. The certificate identity code, which must be unique for the qualified trust service provider.
  8. The advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider.
  9. The location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point 8 is available free of charge.
  10. The location of the certificate validity status services that can be used to enquire as to the validity status of the qualified certificate.

Criticism

Updates to eIDAS proposed in 2021 require browsers to provide new forms of assurance of website authenticity without specifying exactly how. They require web browsers like Chrome, Safari, and Firefox to incorporate a list of government-specified "Trusted Service Providers", and to accept and "displayed in a user friendly manner" the QWACs which those TSPs issue, despite a variety of trust, legal, technical and security concerns. [5] [4] The Internet Society and Mozilla say that requirements of the regulation require violating other requirements. They also assert that it would undermine technical neutrality and interoperability, undermine privacy for end users, and create dangerous security risks. [9] They suggest instead continuing to build on the existing CA framework.

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

<span class="mw-page-title-main">Extended Validation Certificate</span> X.509 public key certificate

An Extended Validation (EV) Certificate is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates, acting as a certificate authority (CA) and trusted third party.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures (AdES). This is published by ETSI as EN 319 142.

eIDAS EU electronic identification regulation

eIDAS is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018.

An advanced electronic signature is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. "Qualified Website Authentication Certificates". ENISA. May 16, 2016. Archived from the original on 2022-03-07. Retrieved 2022-03-06.
  2. Felt, Adrienne Porter; Reeder, Robert W.; Ainslie, Alex; Harris, Helen; Walker, Max; Thompson, Chris; Acer, Mustafa; Morant, Elisabeth; Consolvo, Sunny (2016). "Rethinking Connection Security Indicators". SOUPS. Archived from the original on 2022-03-01. Retrieved 2022-04-28.
  3. "W3Counter: Global Web Stats - January 2018". www.w3counter.com. Archived from the original on 2021-11-05. Retrieved 2022-04-28.
  4. 1 2 "Experts urge EU not to force insecure certificates in web browsers". BleepingComputer. Archived from the original on 2022-03-06. Retrieved 2022-03-06.
  5. 1 2 "Internet Impact Brief: Mandated Browser Root Certificates in the European Union's eIDAS Regulation on the Internet". Internet Society. 2021-11-08. Archived from the original on 2022-03-06. Retrieved 2022-03-06.
  6. Turner, Dawn. "Understanding eIDAS". Cryptomathic. Archived from the original on 20 April 2016. Retrieved 12 April 2016.
  7. 1 2 "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Archived from the original on 15 January 2018. Retrieved 18 March 2016.
  8. Turner, Dawn M. "Trust Service Providers according to eIDAS". Cryptomathic. Archived from the original on 6 October 2017. Retrieved 17 October 2017.
  9. Mozilla (2020-10-01). "European Commission's Open Public Consultation on eIDAS - Attachment to Mozilla's Survey Response" (PDF). Archived (PDF) from the original on 2022-03-06. Retrieved 2022-03-06.