Mozilla steps up its attack on revising EU’s eIDAS regulations
Changes being contemplated for the EU’s eIDAS regulation could make people on the web less secure and make state surveillance easier, says Mozilla, the nonprofit developer of the Firefox browser.
In a report published today, Mozilla is warning that Article 45.2 of the European Union’s eIDAS is in danger of revisions that would weaken security, posing risks to web authentication and encryption standards.
Browsers might be required to recognize qualified web authentication certificates that the EU creates. The stamps of legitimacy are known by the profoundly unself-conscious acronym QWACs.
The certificates would not be free, as current documentation is and, according to Mozilla, will be inferior in securing the web compared to the certificates issued today.
It is not a new objection, at least not for Mozilla, which has been lobbying European politicians on the matter for some time.
A small handful of web notables are highlighted in the report agreeing with the warning. They include a senior vice president at the Internet Society, a GlobalSign chief information security officer and Mozilla’s own chief security officer.
The Internet Society’s Joseph Lorenzo Hall is quoted saying that politicians are playing with the idea of “bolting an exception mechanism on for EU government trusted entities.”
Doing that, Hall says means “browsers will be forbidden, for example, from revoking trust for certain things.” The community would be prevented from acting quickly and unilaterally to sites known to be spoofed or those that are being bugged.
Arvid Vermote, CISO at certificate authority GlobalSign, says the changes would multiply the number of bodies that can define “globally trusted” from four now to upwards of 30. That would make consensus-making and much harder resulting in some poor decisions inevitable.