Mandatory EU government root certificates (QWACs)

The linked article mentions concerns about the planned mandatory introduction of state-controlled qualified website certificates (QWACs) as part of the “eIDAS Regulation”.

The EU plans to establish an additional system for certificates, which would be legally required within the EU. These new QWACs would be controlled by individual EU member states, and citizens would be expected to trust them without the option to opt out. These certificates will have to be accepted as trustworthy by browsers. This would grant EU governments control over the cryptographic keys for TLS. Whoever controls these keys can potentially intercept TLS-encrypted communication.

This has implications for outside the EU too. Because once the mechanism for what is basically a government MITM attack has been integrated in browsers, other countries could attempt the same. A historical precedent is that in 2020 the government of Kazakhstan imposed its own root certificate on citizens to monitor encrypted data traffic.


Yeah, that’s no good :grimacing:

There are protections against rogue CAs intercepting traffic in modern browsers, but it sounds like this would outlaw those technologies too:

The current text of Article 45 requires that browsers trust CAs appointed by governments, and prohibits browsers from enforcing any security requirements on those CAs beyond what is approved by ETSI. […] This upper bar on security may even ban browsers from enforcing Certificate Transparency, an IETF technical standard that ensures a CA’s issuing history can be examined by the public in order to detect malfeasance. Banning CT enforcement makes it much more likely for government spying to go undetected.

This is one of those laws that are difficult to imagine passing, because as EFF points out it ignores the obvious lesson that the United States learned in 2000, that there are no borders when it comes to the internet, but… still something to keep an eye on :eyes: