Mozilla to Europeans updating eIDAS: Let’s give this more thought
Mozilla is waving off European Commission members, who are considering an update to their 2014 digital ID framework for online transactions.
The foundation, developer of the Firefox browser, pushes its pro-privacy stance hard. That is why it is noteworthy that its executives oppose digital ID security efforts by the only major economy that also seems to prioritize online privacy.
Indeed, executives at Mozilla say that they will not be able to honor their security commitments to Firefox users.
Important problems need to be addressed in the draft rules, however, according to a Mozilla white paper.
Changes being discussed would make browsers suspend root store policies necessary to maintain trust and security, Mozilla executives say. The policies “underpin a system of online trust” critical to protecting the security of every person using a browser.
Browsers also would have to accept website certificates that are “based on a flawed certificate architecture that is ill-suited” for online risks today. The so-called qualified web authentication certificates, or QWACs, are too risky, according to Mozilla.
Extended validation (EV) certificate architectures, which are based on QWACs, wrongly convince people that they are safe at a given site only to leave them open to phishing and domain impersonation.
In fact, according to a Mozilla blog post, “no major browser showcases EV certificates directly in the URL address bar.”
For these reasons, Mozilla says, the revisions being considered by the commission cannot make support for QWACs mandatory for browsers.