from the just-stop dept
The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, which, in theory, is supposed to do some useful things regarding interoperability and digital identities. This could be really useful in enabling more end user control over identity and information (a key part of my whole Protocols, Not Platforms concept). But the devil is in the details, and the details are a mess.
It would force browsers to support a specific kind of authentication certificate — Qualified Web Authentication Certificates (QWACs) — but as Mozilla points out, that would be disastrous for security:
At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired – namely, extended validation certificates – lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.
As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla’s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community’s ability to push back against authoritarian regimes’ interference with fundamental rights (see here and here for two recent examples).
As Mozilla notes, the EU can still fix this. Whether or not it does is an open question.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificates, digital identity, eu, regulations, security