Europe’s eIDAS 2.0: a threat to modern web security?

The Council of the European Union is preparing a new set of rules for secure electronic communications and identification. eIDAS 2.0 goes backward, however, adopting a security model which has been long abandoned by modern browsers and internet platforms.

eIDAS, or “electronic IDentification, Authentication and trust Services,” is the set of rules adopted in Europe to enable secure online transactions across the European single market. Every member state must adopt the eIDAS rules, and the same applies to organizations and companies that want to provide public digital services there.

The European Council – one of the two legislative bodies of the EU – has recently adopted a new revision of eIDAS, mostly regarding a European Digital Identity Wallet to store personal information about European citizens in a government-issued app. eIDAS 2.0 also contains revised rules for digital certificates, a new model that according to digital activists and non-profit organizations, is a giant step backward for modern internet security.

According to the Electronic Frontier Foundation (EFF), the gist of the issue is in Article 45.2 of the new eIDAS rules: the European Union is now proposing that web browsers and other internet ventures must support “qualified web authentication certificates” or QWAC, issued by designated Qualified Trust Service Providers (QTSP).

If Article 45.2 is approved, European member states could essentially act as Certificate Authorities (CA) with superpowers: a QWAC certificate issued this way must be trusted by web browsers no matter what, as QTSP providers are approved by EU regulation and not by the browser-making company. Even if the certificates were compromised, the browsers would be obliged to trust them anyway.

The EU is essentially proposing a return to the old model of Extended Validation (EV) certificates, EFF remarked, a security system which didn’t work that well and that has been long abandoned for the current system based on HTTPS encryption with Domain Validation (DV) certificates. Browsers can choose which CA can be trusted, so that they can swiftly remove them when something fishy is going on.

Article 45.2 of the new eIDAS rules is enforcing an outdated model in an attempt to take away power from Big Tech and give it back to individuals on the web through regulation, the EFF stated. As it is now, the non-profit organization remarked, Article 45.2 makes web security “harder to achieve and enforce, making the internet a less safe place for everyone.”