EU’s eIDAS will very likely result in less security for all

A joint statement of scientists and NGOs on the EU’s proposed eIDAS reform says that it will very likely result in less security for all. Mozilla is not happy, either.

The statement

An open letter on the position of scientists and NGOs on the EU’s proposed digital identity reform, signed on November the 3rd 2023, by 409 scientists and researchers from 33 countries, as well as numerous NGOs states that the EU’s proposed eIDAS reform may in fact harm EU citizen’s security.

Mozilla’s and OpenSSF position

On November the 2nd, 2023, the industry presented a Joint Statement on Article 45 in the EU’s eIDAS Regulation.

Also on November the 2nd, the Open Source Security Foundation, a part of the Linux Foundation, co-signed the Industry Joint Statement on Article 45.

On November the 4th, 2023, Mozilla published a position paper regarding the EU Digital Identity Framework (a direct link to the PDF here).

What is eIDAS?

European Union’s eIDAS (short for Electronic Identification, Authentication and Trust Services) has been around since 2014.

During all these years EU trust providers have been adhering to the eIDAS regulation, making it easier for EU citizens to digitally identify themselves among different EU countries and administrations.

For instance, EU citizens can identify themselves to the Spanish Administrations using the Spanish eIDAS node.

EU eIDAS Trust Providers

Of course, each EU country has many trust service providers, offering many different trust services, such as:

  • Qualified Time Stamp - QTimestamp.

  • Qualified Certificates for Electronic Signature - QCert for ESig.

  • Qualified Certificates for Electronic Seal - QCert for ESeal.

  • Qualified Certificates for Website Authentication - QWAC.

  • Qualified Electronic Certificate Delivery Service - QeRDS.

  • And others.

These "trust providers" may also issue digital certificates to identify people. Here in Spain all citizens have a digital certificate embedded in the identity card, but there’re many other certificates as well. Laywers, public notaries, national health workers and registrars have their own certificates as well.

eIDAS 2.0

EU eIDAS has been working well, building a network of digital trust around Europe, that has made things simpler for everybody. Lawyers can digitally sign documents with legal validity, citizens can pay taxes more easily, etc.

The recommendation and the regulation had as an objective that "at least 80% of citizens should be able to use a digital ID solution to access key public services by 2030".

This "digital ID solution" would be a EU Digital Identity Wallet, or purse, so citizens and companies could use this digital identity wallet to open bank accounts, rent a car or share health data, for instance.

The problematic Article 45

eu eidas

Everything looked fine until the EU presented the final text for eIDAS 2.0. The problem (for both scientists and Mozilla) is the proposed text for Article 45. As mozilla states it:

  • The 2014 eIDAS Regulation was premised on discredited security technology: the "Qualified Website Authentication Certificates" (QWAC) that are based on a discredited security architecture.

  • The revised Article 45 overrides independent Root Programs and undermines their security assurances, making QWAC mandatory for web browsers.

  • The revised Article 45 creates vulnerabilities to be exploited by authoritarian regimes, by using digital certificates issued by local Certificate Authorities, that governments can intercept.

To summarize, the eIDAS proposal by the EU, in its current state, would allow any EU member state or third party country, acting alone, to intercept the web traffic of any EU citizend, and there’s no effective recourse.

What could we do then?

As Mozilla suggests if you’re an EU citizen you may want to contact Romana JERKOVIĆ, the member of the European Parliament responsible for the eIDAS file, and register your concern.

I’ve already have.

Comments in Mastodon social