QWAC and eIDAS 2.0 certificates: what they are and why security can go back 12 years

On 8 November 2023, the European Commission and the Council of the European Union confirmed the achievement of a preliminary agreement on the new provisions on digital identity. The European institutions discussed the European Digital Wallet: the Member States will offer it to citizens and businesses digital wallets who will be able to link their national digital identities with evidence of other personal attributes (e.g., driving licenses, diplomas, bank account, etc.). Citizens will be able to demonstrate their identity and share electronic documents from their digital wallets with a simple tap on their smartphone.

QWAC Certificates: what they are and why they are a pillar of eIDAS 2.0

eIDASacronym for “Electronic Identification, Authentication and Trust Services“, is a European Union regulation that establishes a regulatory framework for electronic identification, authentication and trust services in the EU digital environment.

With the approval of the new version of the regulation, baptized eIDAS 2.0the concept of the European Digital Wallet is taking on crucial importance in the digital ecosystem of the Old Continent.

Alongside the provisions regarding Digital Wallets, however, the legislator is inserting some highly impactful changes for any website. Unfortunately, in the EU Council statement there is a simple reference to this specific topic which absolutely fails to understand the extent of the changes proposed: “the revised version of the legislation clarifies the scope of qualified web authentication certificates (QWAC): They ensure that users can verify who is behind a website, while preserving current industry rules and established security standards“, it is read.

How QWAC certificates work and why the European Union offers them

I QWAC certified (Qualified Website Authentication Certificates) are digital certificates used to authenticate and guarantee the security of a website. They are issued in compliance with the eIDAS regulation and allow you to establish an encrypted connection between the web server and browser, guaranteeing that data exchanged are protected and that the site is authenticated and verified.

The main objective of QWAC certificates is to provide end users with reassurance that i online services are reliable, authentic and secure, in compliance with European regulations on electronic identification and data protection.

At first glance the issue of QWAC certificates could be classified as a “non-problem”: we have a new type of digital certificate to be added to those already existing. What’s wrong with that?

For those who already know the world of digital certificates, let’s say straight away that in practice QWAC certificates are in fact comparable to EV certified (Extended Validation).

EV (Extended Validation) certificates are used for protect data exchanged between a website and the client (typically a web browser) used by the remote user. They differ from other types of certificates (DV and OV) mainly due to the level of validation and the additional information they provide.

The decline of EV certificates and the idea of ​​bringing them back into vogue with QWAC

The number of EV certificates used globally is decreasing rapidly, despite the overall increase in the use of protocollo HTTPS. The decline is primarily attributable to high cost, complex management and poor automation. Furthermore, the real effectiveness of an EV certificate depends entirely on the user: the latter must manually check the presence of a graphic reference in the browser address bar and ensure the identity of the certificate itself.

In the case of QWAC certificates promoted by eIDAS 2.0, although the technical features certificates appear similar to EVs, they may represent an additional burden for users. The fact that these certificates require checking by an external service for their validity could represent a risk in terms of privacy and security.

The proposal to use QWAC certificates with the TLS protocol could compromise technical neutrality and interoperability, undermine user privacy and increase online risks.

What is PKI and why is it a valuable reference

With the term PKIacronym for Public Key Infrastructurerefers to the set of technologies, policies, procedures and cryptographic standards used to manage the use of cryptographic keys in a digital environment. PKI is essential for ensuring security and authentication in Internet communications.

Public key cryptography or asymmetrical uses two different keys: one public key it’s a private. The public key is available to anyone who requests it and is used to encrypt data or verify a digital signature. In contrast, the private key is kept secret by the owner and is indispensable for decrypt encrypted data or to digitally sign documents.

Terms to know when it comes to PKI

  • Digital certificates. Digital certificates are the heart of PKI. They are issued by called entities Certification Authority (CA) and contain information about a public key and the identity of the key owner. Digital certificates are commonly used to validate an entity’s identity online. For example, they indicate that the identity of a website using HTTPS actually corresponds to the one declared.
  • Certificate Authority (CA). They are trusted organizations responsible for issuing, managing and revoking digital certificates. The CAs verify theidentity of the applicant of a certificate before issuing it, ensuring the authenticity and reliability of the certificates. The verification activity is different and more or less profound depending on the type of digital certificate requested.
  • User register. An archive that contains information about certificates issued and which can be consulted to verify the authenticity of a certificate.
  • Revocation of certificates. Be one key private appears compromised or if the identity associated with a certificate is no longer valid, the CA can revoke the certificate so that it is no longer considered valid for authentication.

The approach used for PKI is not perfect but is the result of years of work carried out by an incalculable number of experts and industry figures.

How public key infrastructure (PKI) works now

The operators of root storeo “root store operators” in English, are entities or organizations that manage and maintain the repositories of root certificates (root certificate). These root certificates form the basis of the whole chain of trust on which thepublic key infrastructure (PKI), playing a fundamental role in the authentication and security of online connections.

Web browsers, operating systems, and other software use root certificate stores to authenticate websites, online services, and manage communications security.

Root store operators must ensure that root certificates are reliable and safe, avoiding the inclusion of certificates that could compromise the security or integrity of online communications. Furthermore, they must also regularly update these archives to reflect the changes in trust and in the validity of root certificates issued by universally recognized certification authorities.

It is in the interest of software and device vendors to ensure that a Root CA (root certificate authority) is able to function properly because otherwise, all customers of that vendor run the serious risk that their traffic is intercepted e decodificato.

In Windows premete Windows+R and type certmgr.msc: refer to the section Trusted root certification authorities. An identical section is present in all major operating systems as well as in web browsers that do not rely on the operating system, such as Mozilla Firefox.

Europe would revolutionize (negatively) the security of communications on the Internet

The most serious problem is that, using the leverage of the new eIDAS 2.0 regulation, Europe could force browser developers and…


Please enter your comment!
Please enter your name here