Essentially regular certs, but handed out by governments/authorities and including detailed data about who the cert was issued to.
Think like EV-Certs, but now with more legally binding power cause you don't get them from some random private company but the government. Though admittedly that legal power is more of a thing when signing documents.
I fail to see the problem here. Their QWAC are root certificates that do not adhere to their idea of a "strict vetting approach". That sounds scary, until you realise all major browsers have happily accepted the LetsEncrypt-CA, when LetsEncrypt does no vetting at all.
To me this sounds like "have a little duck next to the padlock, make users understand that not all encryption is alike" could be a solution.
The problem is that it becomes mandatory for browsers to include a list of root certificates that may or may not conform to standards, and are not allowed under any circumstance to remove those root certificates. This means that in a case like DigiNotar (root CA of the national QWAC issuer compromised) it would be impossible for browsers to legally choose to secure their users and remove the compromised root from the trust list.
Additionally, eIDAS CA requirements and vetting have not been as strict as those in the CA/B Forum Baseline Requirements and the other documents related to DV/OV/EV certificate issuance.
Apart from that, there are known problems with QWAC (mostly related to name collisions, and the mostly manual process of vetting information being prone to errors), but that is generally a lesser issue than the above two.
> and are not allowed under any circumstance to remove those root certificates
Browsers would be forbidden from just deciding on their own to remove a root, but I imagine trust agents can lose their status and get removed from all browsers if they misbehave.
Decision on removal would lie with some EU agency though, not with individual browsers.
Do you have some more information about the actual differences between the requirements? I'd be interested to know and the article is certainly not telling them.
> mostly related to name collisions, and the mostly manual process of vetting information being prone to errors
What name collisions are those? If it's the old issue with confusing company names, the new certificates are supposed to contain a street address and a unique identifier to resolve that.
Oh, common? What interest could Mozilla have to break up the encryption of the few users still using their browser (and ruin everything they fought for?). Vs what could the government do when breaking the encryption of 500M users?
Cool. I trust the engineers at Mozilla far more than the politicians in EU.
You can’t mandate or legislate security from the parliament. It takes hard work, skill, education, experience, luck and visibility.
In my world, the law is just someone’s opinion. Security deals with systems, math, information, physics. I want the EU far far away from my root CA store pls.
nobody prevents you to use mozilla certificates, you do what you want with your love and dependency on mozilla
i want americans to mind their own business instead of trying to lobby in both EU/Asia by impersonating identities like with this .eu domain, what a trustworthy behavior btw ;)
> Cool. I trust the engineers at Mozilla far more than the politicians in EU.
> You can’t mandate or legislate security from the parliament. It takes hard work, skill, education, experience, luck and visibility.
nobody said nor want that, you should read the original articles instead of this propagandized website
I think you will find many global corps are actually multinational and have presence and thus effected by braindead laws coming out of the EU. We live on a shared internet plane, we cannot let EU do stupid things that break the internet. You may wish to look at restrictive internet legislation by countries is an attack on the world. It’s not US corp vs EU politicians. It’s EU politicians against earth internet users.
nobody voted for mozilla, they hold their position by selling their userbase to google
if that's what you want to trust, be it, trust them
we should have alternatives for the people who do not want to trust such entity doing shady things like political interference in foreign countries
> We live on a shared internet plane
another reason to not trust an entity that is selling its userbase to the most evil company on the internet and is also selling ads to people's browser ;)
your avidity made you loose all sight, you also lack critical thinking
Avidity is a strange word, I don’t think I have ever seen it before. It exists in English, but it is a French loan word.
I believe your perspective is one of someone in France. I am personally located in NY, but cannot vote. I have not been able to vote for over a decade in multiple countries now, and don’t really believe in it anymore.
I don’t really care if every EU citizen voted to make math illegal. While there is sanity elsewhere, and an internet exists, we can route around the madness.
I am not French, but i read a lot, i like nice words and their etymology
Nourishing yourself from multiple cultures would help you a lot developing critical thinking
You are stuck defending mozilla no matter what, fanboyism gets you nowhere, it makes you blind
> I don’t really care if every EU citizen voted to make math illegal. While there is sanity elsewhere, and an internet exists, we can route around the madness.
You'll remember that when times will make you want to go back in time and hope for an alternative path
Buddy, you have accused me of lacking critical thinking twice. I believe you are projecting. Critical thinkers generally don’t reduce an argument to “evil corps”.
I’m intrigued by why I would want to go back in time?
After seeing The last human - Kurzgesagt https://youtu.be/LEENEFaVUzU and realizing that for all
Of human history we have though it was the end - and actually it’s more likely that as the first few billion humans we will be the source of fascination for many generations to come. Our digital record will be preserved and relentlessly studied. Maybe our thread here will be a footnote in a hologram in a few millennia.
At least derive some joy from the fact you are far more perceptive than most identifying the negative traits of humanity. Most never have a clue and just exist…
Actually, it very much is EU politicians against US politicians thanks to the CLOUD act. US already has the power to force Mozilla to include whatever root certs they want.
People tend to think that the CLOUD Act did a lot more than it actually did. The CLOUD Act did two things.
First, it amended the Stored Communications Act (SCA) to clarify whether requests issued under the SCA were more like warrants or more like subpoenas.
Roughly, a warrant authorizes law enforcement to do something they normally would not be allowed to do, like search a place or seize something.
A subpoena authorizes law enforcement to make someone else do something, like make someone to give law enforcement a copy of a document that is under that person's control.
This didn't expand any US government powers. It just clarified what existing power applied when asking for data. In particular it had nothing to do with asserting US jurisdiction extraterritorially, which is what a lot of people seem to think it was about.
Second, it made it easier for the US to enter into agreements to share data with foreign governments. Previously this had to be done through something called a "mutual legal assistance treaty" (MLAT). The CLOUD Act authorized the executive branch to make data sharing agreements, which is much more streamlined but also has much less oversight.
There was nothing really controversial about the first part. Pretty much every major country claims similar powers to require people in their country to turn over documents to the government as part of criminal investigations.
The controversial part was the second part. Many felt that it would allow the government to easily enter into data sharing agreements to get data without needing a subpoena or warrant, thus bypassing the courts and so effectively stripping away Fourth Amendment rights.
Thanks a lot for the in-depth explanation. I admit, I didn't know a lot of the context, in particular the clarification between warrant and subpoena.
> This didn't expand any US government powers. It just clarified what existing power applied when asking for data. In particular it had nothing to do with asserting US jurisdiction extraterritorially, which is what a lot of people seem to think it was about.
Not a lawyer or expert in that area, but my understanding why specifically people in the EU were so upset about it (including ECJ judges apparently) was that this effectively did extend US jurisdiction - simply by virtue of US companies being active internationally, specifically tech companies.
The overwhelming part of all internet activities in the EU are facillitated through US companies (or local subsidiaries of them). This includes a large part of intra-EU activities. So if one german citizen writes another german citizen an email, chances are very high that email will be stored on a Google server - or at least on a server of a german subsidiary of Google. This makes the CLOUD act relevant to EU citizens, even though technically, the obligations of Google under it are a purely domestic affair.
So if the CLOUD act gives US agencies the power to subpoena Google to retrieve data about non-US citizens - while Google is effectively running large part of the internet for other countries - then that does feel a bit like extension of jurisdiction.
(It technically isn't, and to my knowledge the ECJ wasn't arguing that it was. The ECJ simply argued that Google's obligations under the CLOUD act are incompatible with Google's obligations under the GDPR. So something's got to give)
Going back to the beginning of the thread, I have to admit though, I have no idea if the CLOUD act would give agencies the power to force inclusion of certain root certs. So I take that back.
It can help to understand the jurisdiction issues to think of an analogous situation but with paper records instead of digital records. Consider this scenario.
I have a company that operates a business in the US. I keep records on paper in filing cabinets at my office.
I decide to archive some records offsite. I do this by engaging the services of a storage firm that operates a vault in an old mine in a remote area. To store records I ship them in a box to the storage firm, which slaps a barcode on the box, assigns it to an open spot in the vault, and puts the box there.
If I ever need the records I ask the storage firm for them, they look them up in their records to find where they are in the vault, retrieves the box, and ships it to me.
I later want to archive more records, and I do the same thing except this time I use a different storage company. It works the same way--they store boxes I send them, and ship those back to me upon request.
The first storage company is somewhere in the US. The second storage company is Mexico.
Suppose the US government wants to look at some of my records. If they want to get warrants to seize those records themselves by going to where they are stored (my office and/or the storage vaults) a US court would have jurisdiction to issue such warrants for the records in my office and the records in the storage vault in the US. For the records in the vault in Mexico they would have to go through whatever Mexico's procedure is to get the records seized.
They need to go through Mexico for the Mexican vault because they are trying to force someone in Mexico to do something they have no obligation to do. They want someone to go into the vault and seize the records.
If, one the other hand, the government gets a subpoena asking me for the records which in order to comply with I'll have to ask the vaults to send me the records, no one in Mexico is being asked to do anything other than provide the service to me that I hired them to do. The Mexican government does not need to be involved, and has no interest in being involved because what is happening in Mexico is just normal operation of the storage service there.
The situation with Microsoft that prompted the CLOUD Act was similar, although the records weren't archived records. Microsoft in the US operated an email service. They stored the email at various cloud providers around the world. One of those cloud providers was an EU company that was owned by Microsoft but separate from the Microsoft owned US company that provided the email service. The US Microsoft email company's relation with the EU Microsoft cloud storage company was simply that of a customer that bought their storage service.
The US Microsoft email company had the right to retrieve any data it stored at that cloud service (or at any other cloud service it used) at any time. Nobody at the cloud storage company would have to be involve or even aware when this happened. To them it is all just customers using the storage APIs to access the customer's data.
There are GDPR issues, but note those same GDPR issues would also apply if the US company was storing data about EU people in cloud storage that was entirely in the US (their own or at a separate US cloud provider whose servers were in the US).
The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
So what happens if, say, Firefox refuses to include these CA's by default?
If Mozilla has EU-based physical locations, would they be fined? With seizing of servers, real estate, bank accounts, etc. on EU territory if the fines aren't paid?
What if Mozilla has no permanent physical presence on EU territory? Could they still be fined? What happens if they ignore the fine? Could Mozilla executives on vacation in Europe, or technical staff presenting at European conferences, be arrested?
Would EU-based websites be legally required to block Firefox user agents? Would they be required to implement network-level firewalling of websites for downloading Firefox? Would it become illegal for EU residents to donate to Mozilla, or would the EU banking system be obligated to divert those donations to pay Mozilla's backlog of EU fines?
Would individual users on EU territory be subject to fines or arrest for running a browser without the QWAC root CA? What if they changed the browser settings, or recompiled the source code, to remove the QWAC root CA from the trust list?
Would it be illegal for Firefox to put QWAC on the trust list, but implement some sort of local "security enhancement proxy" whose sole purpose is to deny access to sites that use the QWAC CA?
I have the same feeling about Mozilla's credit card auto-fill. It won't remember the CCV. I assume this is because the CCV isn't supposed to be stored. But Mozilla isn't a credit card processor, I don't think they have any obligation to the credit card companies to not store the CCV. So what happens if they do start storing and auto-filling it?
So. The entire argument of the article seems to be "it's insecure because it's vetted by someone else than us".
But nowhere does it say what the actual vetting process for QWACs is and how it differs from the one of current certificates. Is that explained somewhere?
Also a bit disingenuous that nowhere on the page, they link to the actual specifications or discussions of the regulation, not even Wikipedia. All we get are some barebone definitions with a heavy dose of spin.
But of course they already have a cute ducky logo.
Right now, this just reads like a power struggle between browsers and EU, with browsers (or at least Mozilla) trying to style this as some kind of grassroots movement.
I'm tired of billion dollar companies pretending to be student protesters.
Research the Turktrust incidents from 2013 why it's a bad idea to have this forced upon browsers.
The EU has recently acted untrustworthy. They're interested in breaching your privacy. The last attempt was made and thwarted just recently.
I have to repeat, research the new copyright and other digital regulations and the voting shenanigans from 2018.
The EU especially the unregulated EC is not trustworthy.
I don't know. I feel, if you're a government or an intelligence service, you already have enough methods to acquire fake certificates:
If the target domain has your country's TLD, you can compel your national registrar to manipulate DNS records, then get yourself a perfectly legitimate Let's Encrypt certificate for that domain.
Alternatively, you can go the direct route and approach one of the various private CAs in your country and force them to generate you the certificate you want.
You're not being censored by YCombinator as your other comments suggest. Users with enough karma are flagging your comments. I just flagged this comment as well to make sure it becomes dead like your other identical comment.
50 comments
[ 2.2 ms ] story [ 116 ms ] thread> Supporting QWACs will mean that browsers will have to support providers that issue them without independently vetting their security practices.
Think like EV-Certs, but now with more legally binding power cause you don't get them from some random private company but the government. Though admittedly that legal power is more of a thing when signing documents.
To me this sounds like "have a little duck next to the padlock, make users understand that not all encryption is alike" could be a solution.
What am I missing?
https://cabforum.org/baseline-requirements-documents/
But the OP webpage is so terrible that I’m really not sure what they’re talking about.
Additionally, eIDAS CA requirements and vetting have not been as strict as those in the CA/B Forum Baseline Requirements and the other documents related to DV/OV/EV certificate issuance.
Apart from that, there are known problems with QWAC (mostly related to name collisions, and the mostly manual process of vetting information being prone to errors), but that is generally a lesser issue than the above two.
Browsers would be forbidden from just deciding on their own to remove a root, but I imagine trust agents can lose their status and get removed from all browsers if they misbehave.
Decision on removal would lie with some EU agency though, not with individual browsers.
Do you have some more information about the actual differences between the requirements? I'd be interested to know and the article is certainly not telling them.
> mostly related to name collisions, and the mostly manual process of vetting information being prone to errors
What name collisions are those? If it's the old issue with confusing company names, the new certificates are supposed to contain a street address and a unique identifier to resolve that.
I don't have the right to hold that statement?
Should i create a .us/.com website, spread my message and target every american voters so you can understand me?
You didn't like when the Russian did something similar, why should it be ok when it is the americans doing it?
You can’t mandate or legislate security from the parliament. It takes hard work, skill, education, experience, luck and visibility.
In my world, the law is just someone’s opinion. Security deals with systems, math, information, physics. I want the EU far far away from my root CA store pls.
i want americans to mind their own business instead of trying to lobby in both EU/Asia by impersonating identities like with this .eu domain, what a trustworthy behavior btw ;)
> Cool. I trust the engineers at Mozilla far more than the politicians in EU.
> You can’t mandate or legislate security from the parliament. It takes hard work, skill, education, experience, luck and visibility.
nobody said nor want that, you should read the original articles instead of this propagandized website
nobody voted for mozilla, they hold their position by selling their userbase to google
if that's what you want to trust, be it, trust them
we should have alternatives for the people who do not want to trust such entity doing shady things like political interference in foreign countries
> We live on a shared internet plane
another reason to not trust an entity that is selling its userbase to the most evil company on the internet and is also selling ads to people's browser ;)
your avidity made you loose all sight, you also lack critical thinking
I don’t really care if every EU citizen voted to make math illegal. While there is sanity elsewhere, and an internet exists, we can route around the madness.
Nourishing yourself from multiple cultures would help you a lot developing critical thinking
You are stuck defending mozilla no matter what, fanboyism gets you nowhere, it makes you blind
> I don’t really care if every EU citizen voted to make math illegal. While there is sanity elsewhere, and an internet exists, we can route around the madness.
You'll remember that when times will make you want to go back in time and hope for an alternative path
I’m intrigued by why I would want to go back in time?
Maybe i perceive wrong, maybe you perceive right, you tell me
> I’m intrigued by why I would want to go back in time?
Read between the lines, here it's me projecting, i vow apocalypse and destruction
a shitty experiment that kills itself; selfish; racist; doesn't want humankind to transcend, instead wants to suck everything for their own very self
First, it amended the Stored Communications Act (SCA) to clarify whether requests issued under the SCA were more like warrants or more like subpoenas.
Roughly, a warrant authorizes law enforcement to do something they normally would not be allowed to do, like search a place or seize something.
A subpoena authorizes law enforcement to make someone else do something, like make someone to give law enforcement a copy of a document that is under that person's control.
This didn't expand any US government powers. It just clarified what existing power applied when asking for data. In particular it had nothing to do with asserting US jurisdiction extraterritorially, which is what a lot of people seem to think it was about.
Second, it made it easier for the US to enter into agreements to share data with foreign governments. Previously this had to be done through something called a "mutual legal assistance treaty" (MLAT). The CLOUD Act authorized the executive branch to make data sharing agreements, which is much more streamlined but also has much less oversight.
There was nothing really controversial about the first part. Pretty much every major country claims similar powers to require people in their country to turn over documents to the government as part of criminal investigations.
The controversial part was the second part. Many felt that it would allow the government to easily enter into data sharing agreements to get data without needing a subpoena or warrant, thus bypassing the courts and so effectively stripping away Fourth Amendment rights.
> This didn't expand any US government powers. It just clarified what existing power applied when asking for data. In particular it had nothing to do with asserting US jurisdiction extraterritorially, which is what a lot of people seem to think it was about.
Not a lawyer or expert in that area, but my understanding why specifically people in the EU were so upset about it (including ECJ judges apparently) was that this effectively did extend US jurisdiction - simply by virtue of US companies being active internationally, specifically tech companies.
The overwhelming part of all internet activities in the EU are facillitated through US companies (or local subsidiaries of them). This includes a large part of intra-EU activities. So if one german citizen writes another german citizen an email, chances are very high that email will be stored on a Google server - or at least on a server of a german subsidiary of Google. This makes the CLOUD act relevant to EU citizens, even though technically, the obligations of Google under it are a purely domestic affair.
So if the CLOUD act gives US agencies the power to subpoena Google to retrieve data about non-US citizens - while Google is effectively running large part of the internet for other countries - then that does feel a bit like extension of jurisdiction.
(It technically isn't, and to my knowledge the ECJ wasn't arguing that it was. The ECJ simply argued that Google's obligations under the CLOUD act are incompatible with Google's obligations under the GDPR. So something's got to give)
Going back to the beginning of the thread, I have to admit though, I have no idea if the CLOUD act would give agencies the power to force inclusion of certain root certs. So I take that back.
I have a company that operates a business in the US. I keep records on paper in filing cabinets at my office.
I decide to archive some records offsite. I do this by engaging the services of a storage firm that operates a vault in an old mine in a remote area. To store records I ship them in a box to the storage firm, which slaps a barcode on the box, assigns it to an open spot in the vault, and puts the box there.
If I ever need the records I ask the storage firm for them, they look them up in their records to find where they are in the vault, retrieves the box, and ships it to me.
I later want to archive more records, and I do the same thing except this time I use a different storage company. It works the same way--they store boxes I send them, and ship those back to me upon request.
The first storage company is somewhere in the US. The second storage company is Mexico.
Suppose the US government wants to look at some of my records. If they want to get warrants to seize those records themselves by going to where they are stored (my office and/or the storage vaults) a US court would have jurisdiction to issue such warrants for the records in my office and the records in the storage vault in the US. For the records in the vault in Mexico they would have to go through whatever Mexico's procedure is to get the records seized.
They need to go through Mexico for the Mexican vault because they are trying to force someone in Mexico to do something they have no obligation to do. They want someone to go into the vault and seize the records.
If, one the other hand, the government gets a subpoena asking me for the records which in order to comply with I'll have to ask the vaults to send me the records, no one in Mexico is being asked to do anything other than provide the service to me that I hired them to do. The Mexican government does not need to be involved, and has no interest in being involved because what is happening in Mexico is just normal operation of the storage service there.
The situation with Microsoft that prompted the CLOUD Act was similar, although the records weren't archived records. Microsoft in the US operated an email service. They stored the email at various cloud providers around the world. One of those cloud providers was an EU company that was owned by Microsoft but separate from the Microsoft owned US company that provided the email service. The US Microsoft email company's relation with the EU Microsoft cloud storage company was simply that of a customer that bought their storage service.
The US Microsoft email company had the right to retrieve any data it stored at that cloud service (or at any other cloud service it used) at any time. Nobody at the cloud storage company would have to be involve or even aware when this happened. To them it is all just customers using the storage APIs to access the customer's data.
There are GDPR issues, but note those same GDPR issues would also apply if the US company was storing data about EU people in cloud storage that was entirely in the US (their own or at a separate US cloud provider whose servers were in the US).
The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
[0]: page 35 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
Annex IV page 42
If Mozilla has EU-based physical locations, would they be fined? With seizing of servers, real estate, bank accounts, etc. on EU territory if the fines aren't paid?
What if Mozilla has no permanent physical presence on EU territory? Could they still be fined? What happens if they ignore the fine? Could Mozilla executives on vacation in Europe, or technical staff presenting at European conferences, be arrested?
Would EU-based websites be legally required to block Firefox user agents? Would they be required to implement network-level firewalling of websites for downloading Firefox? Would it become illegal for EU residents to donate to Mozilla, or would the EU banking system be obligated to divert those donations to pay Mozilla's backlog of EU fines?
Would individual users on EU territory be subject to fines or arrest for running a browser without the QWAC root CA? What if they changed the browser settings, or recompiled the source code, to remove the QWAC root CA from the trust list?
Would it be illegal for Firefox to put QWAC on the trust list, but implement some sort of local "security enhancement proxy" whose sole purpose is to deny access to sites that use the QWAC CA?
They will be included by other browsers. They can also make certain services dependent on this CA.
Some people still believe that s stands for security in https.
But nowhere does it say what the actual vetting process for QWACs is and how it differs from the one of current certificates. Is that explained somewhere?
Also a bit disingenuous that nowhere on the page, they link to the actual specifications or discussions of the regulation, not even Wikipedia. All we get are some barebone definitions with a heavy dose of spin.
But of course they already have a cute ducky logo.
Right now, this just reads like a power struggle between browsers and EU, with browsers (or at least Mozilla) trying to style this as some kind of grassroots movement.
I'm tired of billion dollar companies pretending to be student protesters.
Wikipedia page on QWACs btw: https://en.m.wikipedia.org/wiki/Qualified_website_authentica...
The EU has recently acted untrustworthy. They're interested in breaching your privacy. The last attempt was made and thwarted just recently. I have to repeat, research the new copyright and other digital regulations and the voting shenanigans from 2018. The EU especially the unregulated EC is not trustworthy.
If the target domain has your country's TLD, you can compel your national registrar to manipulate DNS records, then get yourself a perfectly legitimate Let's Encrypt certificate for that domain.
Alternatively, you can go the direct route and approach one of the various private CAs in your country and force them to generate you the certificate you want.
> YCombinators silencing everything as usual