eIDAS Art.45(2) on web authentication poses a threat to internet users, Mozilla Firefox warns
EU’s Regulation on eIDAS entered into force in September 2014 and aimed to secure cross-border identification access for online services offered by the EU member states. The revised provision regarding web authentication (Art.45 (2) ) of the Regulation) obliges browsers to accept the EU-designed Qualified Web Authentication Certificates (QWACs) to protect them from fraud, malware, and surveillance.
According to Chief Security Officer at Mozilla, Marshal Erwin, Art.45 (2) of the eIDAs would bypass the critical line of defense against cybercrime and would eventually make it harder to push back surveillance attempts in the future. Erwin also adds that if Art.45 (2) is taken into a global standard, it will give tools to governments to carry out state-sponsored surveillance of internet traffic.
MEP Romana Jerkovic, deleted Art.45(2) in her draft to come up with a strategy that will not jeopardize security.
European Commission’s spokesperson said that the concerns raised by the browser community are based on the technical implementation of Art.45(2). The Commission intends to achieve the recognition of QWACs without any interference, and in collaboration with the relevant standardized bodies the technical implementation of Art.45(2) will be set.