Open in app

Sign in

Write

Sign in

Schwalm Steffen
17 min readNov 20, 2023

QWAC or not QWAC is that the question?

The agreement in Trilogue on new eIDAS regulation was reached last week. It also includes the obligation for acception of QWAC for international browsers — a obligation which seems to be not acceptable for Mozilla, Google etc. They published paper with possible disadvantages and risks on QWAC which was impressingly refuted by European Signature Dialogue. The whole discussion show a bit a seemingly lack off interests on how eIDAS trust framework works. There are many subjects to be discussed within eIDAS — a comprehensive background on eIDAS and its trust framework seems basement for meaningful discussion.

eIDAS trust framework

Along with digital identities eIDAS also defines (qualified) trust services. They contain:

  • Creation (qualified) certificates for (qualified) electronic signatures, seals and/or timestamps
  • Validation of (qualified) electronic signatures, seals and/or timestamps
  • (qualified) Electronic registered mail/ delivery services
  • (qualified) Preservation of (qualified) electronic signatures and/ora seals
  • (qualified) website certificates

Any QTSP underlie the conditions Section III eIDAS (Art. 13–14 for all (Q)TSP, 20 following acc. to kind of trust service). Means:

  • supervision by National Supervisory body (in German BNetzA)
  • obligation on collaboration with National Data Privacy Officers for National Supervisory Body
  • certified by independent Conformity Assessment Body (which is accredited by independent accreditation body) against European standards (eIDAS 1 acc. to M460 from European Commission we speak about ETSI and CEN standards: https://portal.etsi.org/TB-SiteMap/ESI/Trust-Service-Providers and e.g. CEN EN 419 241
  • after successful Conformity Assessment any QTSP will be listed publicly in national trust list which is consolidated to List of the Lists (LOTL) from EC: https://webgate.ec.europa.eu/tl-browser/#/
  • periodical repetition of Conformity Assessment of any QTSP every 24 month, Remember: The National Supervisory Body can request additional Conformity Assessments if necessary.
  • full liability for QTSP
  • obligation to inform about any security or privacy breach within dedicated time to relevant authority by QTSP including affected person
  • obligation to fulfill all requests for change in case of non-conformities by QTSP

Especially the requirements from Art. 24 have to be mentioned:

  • (a) inform the supervisory body of any change in the provision of its qualified trust services and an intention to cease those activities;
  • (b) employ staff and, if applicable, subcontractors who possess the necessary expertise, reliability, experience, and qualifications and who have received appropriate training regarding security and personal data protection rules and shall apply administrative and management procedures which correspond to European or international standards;
  • c) with regard to the risk of liability for damages in accordance with Article 13, maintain sufficient financial resources and/or obtain appropriate liability insurance, in accordance with national law
  • (d) before entering into a contractual relationship, inform, in a clear and comprehensive manner, any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service, including any limitations on its use;
  • (e) use trustworthy systems and products that are protected against modification and ensure the technical security and reliability of the processes supported by them;
  • (f) use trustworthy systems to store data provided to it, in a verifiable form so that:
  • (i) they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained,
  • (ii) only authorised persons can make entries and changes to the stored data,
  • (iii) the data can be checked for authenticity;
  • (g) take appropriate measures against forgery and theft of data;
  • (h) record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular, for the purpose of providing evidence in legal proceedings and for the purpose of ensuring continuity of the service. Such recording may be done electronically;
  • (i) have an up-to-date termination plan to ensure continuity of service in accordance with provisions verified by the supervisory body under point (i) of Article 17(4);
  • (j) ensure lawful processing of personal data in accordance with Directive 95/46/EC;
  • (k) in case of qualified trust service providers issuing qualified certificates, establish and keep updated a certificate database.
  • provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at least on a per certificate basis at any time and beyond the validity period of the certificate in an automated manner that is reliable, free of charge and efficient.

eIDAS was underpinned by mandatory implementing acts. In the context of digital identities especially 2015/1502 has to be mentioned which defines the requirements on Level of Assurance further in the context of trust services 2015/1506 should not be forgotten which defines the mandatory signature formats for mutual recognition according to Art. 27 of the eIDAS 1.0 Regulation.

In summary the current eIDAS Regulation follows the approach of a centralized digital identity de facto issued by member state or under its control. This means that eIDAS acts on the assumption of a government trust anchor for each digital identity so that a trustworthy third party issuing the eID is always needed. A digital identity without government trust anchor is not covered by eIDAS.

This does not mean the Member States have control over any transaction the owner of the eID is executing with its identity. It only means that the notifying Member State is responsible concerning security and liability — so ensuring government trust anchor. Beside implementing act, the eIDAS Regulation is also underpinned by a common European wide technical standardization framework from the European standardization organizations ETSI and CEN under mandate by European Commission. Both standardization bodies work (similar as ISO) under Vienna Agreement and are independent from any government (see https://www.etsi.org/ and https://www.cencenelec.eu/). The standardization framework ensures interoperability of eID and trust services in Europe, in eID e.g. based on results from the STORK[4] project and based on eIDAS nodes and eIDAS minimal data set, regarding trust services through ETSI standards on QTSP and their devices[5].

The picture below shows the relation between legal and technical framework by the example of trust services[6]:

Relationship between the eIDAS Regulation and European standards

The conformity assessments are done by on ETSI Standards and contain Stage 1 Analysis necessary documents and stage 2 Technical evaluation for each (qualified) trust service. Both have to be successfully fulfilled. Following picture shows the framework:

Standard Framework eIDAS (source: Cryptomathics)

The technical standards cover the whole eIDAS Framework, so e.g. TrustList, basic security requirements on QTSP and specific requirements for each kind of trust services. The basic requirements (ETSI EN 319 401) which have to be fulfilled by each QTSP contain e.g.

  • fundamental security acc. ISO 27k
  • privacy
  • business continuity acc. ISO 22301
  • IT Service Management acc. ISO 20 000
  • records management

and requires several Policies such as:

  • information security
  • Trust Service Practice Statement
  • Terms and conditions

which mainly have to be published. For each kind of trust service specific standards have to be fulfilled. Means: Only QTSP which fulfill ETSI EN 319 401 and the trust service specific standards will become (or remain) QTSP. This means that no government decides if a company becomes QTSP but an independent CAB — the National Supervisory Body only checks if the CAB followed eIDAS.

eIDAS created an EU- and EFTA wide trusted space based on trust chains between each of the actors acting as trustworthy 3rd parties. This means as shown for trust services that eIDAS always requires a trustworthy 3rd party. There´s no trust by default. Trust only occurs based on European law, supervised by European and national supervisory bodies, accreditation of conformity assessment bodies under European standards, certification of trust services by CAB under supervision of national supervisory bodies and verifiable via European wide trusted lists — so democratically created law, mutual control and certification but also transparent verifiability.

Following pictures shows the framework in overview:

eIDAS Trust Framework

Means, any QTSP is publicly provable via TrustList, takes the full risk.

The infrastructures of each QTSP are separated so that e.g. the PKI of one QTSP is not combined with the other one or a Relying Party or the user of a certificate. A QTSP e.g. for issuance of (qualified) certificates has the obligation to provide revocation and status information on certificates for verification 24/7 to any requesting party but without any knowledge for which purposes the information are needed. Same with e.g. creation of qualified signatures — any user identified by QTSP using 2FA issued by QTSP will be able to sign, but QTSP does not know the purpose and regarding the fact of increasing utilization of hash signing not know the signed data themselves. This means also that no QTSP has technically any possiblity to monitor all business transactions of the user because there´s no access to whole infrastructure of the user or similar.

Qualified Website Authentication Certificates
The sense of QWAC is to make the authenticity of a website so its owner evident against 3rd parties. QWAC may be also used e.g. for authentication of Relying Parties against wallets or other systems. Reason is, that QWAC require valid identification of its holder against QTSP issueing QWAC.

The QTSP have to follow the relevant ETSI Standards so especially ETSI EN 319 411–2, 412–4. These standards contain e.g.

  • certificate policy and -practice statement (to be published by QTSP)
  • Identification and Authentication
  • Certificate Life-Cycle operational requirements
  • revocation and status
  • Facility, management, and operational controls
  • requirements on PKI, security on issueance certificates, possible content and attributes
  • Technical security controls

Those requirements are part of conformity assessment by CAB. According to normative references its based on C/A-Browser Forum standards but develop them further.

QWAC exist like all other (qualified) trust services as well as Part I eIDAS on digital identities since 2014. They are issued by QTSP not by government as given in Art. 45 eIDAS.

eIDAS 2.0

eIDAS 2.0 is only an amendment of existing eIDAS regulation. Means anything which is not clearly changed within the final text of eIDAS 2.0 remains because was not part of the amendment. The trust framework as well as the eID part and existing trust services remain in eIDAS 2.0. Beside the well-known EUDI Wallet eIDAS 2.0 introduced following new trust services:

  • Attestations of Attributes (e.g. Diploma, mobile driver license etc.)
  • Remote Signing
  • Archiving
  • Electronic Ledger

for EUDIW as well as all trust services eIDAS 2.0 forsees mandatory implementing acts which will reference European standards (ETSI, CEN) in order to ensure interoperability and common security. Those standards than will become legally mandatory. Regarding security requirements on EUDIW as well as trust services eIDAS 2.0 refers to Cybersecurity Act and NIS2. Means the certification schemes have to rely on Cybersecurity Act. Much more interesting is the combination of eIDAS 2.0 with NIS2. According to eIDAS 2.0 any qualified trust service “are required to take appropriate technical and organisational measures pursuant” to NIS2. This means de facto that all qualified trust service providers so also QTSP issuing QWAC become part of critical infrastructure as NIS2 regulates the critical infrastructure. In the result QTSP will be handled like electric power companies, clinicals, harbours our other parts of critical infrastructures with their high security requirements. The practical utilization especially the responsiblities of supervisory bodies (e.g. in Germany for critical infrastructures the National Cybersecurity Authority is responsible, for QTSP the Federal Network Agency is the Supervisory Body) will be clarified in the next time after eIDAS 2.0 becomes applicable.

Regarding QWAC the eIDAS 2.0 (Art. 45) only define the obligation for browsers to ensure interoperability with any QWAC (not RootCA as mentioned in several publications) “with the exception of enterprises considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC during the first 5 years of operating as providers of web-browsing services.” Web Browsers also “shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner”.

Acc. Art. 45 QWAC have to fulfill the standards referred in mandatory implementing acts (which have to be published 12 month after eIDAS 2.0 entered into force as well as the requirements of Annex IV eIDAS 2.0 which means:

“Qualified certificates for website authentication shall contain:

(a) an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for website authentication;

(b) a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least the Member State in which that provider is established and:

— for a legal person: the name and, where applicable, registration number as stated in the official records,

— for a natural person: the person’s name;

( c) for natural persons: at least the name of the person to whom the certificate has been issued, or a pseudonym. If a pseudonym is used, it shall be clearly indicated;

(ca) for legal persons: a unique set of data unambiguously representing the legal person to whom the certificate is issued, with at least the name of the legal person to whom the certificate is issued and, where applicable, the registration number as stated in the official records

(d) elements of the address, including at least city and State, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records;

(e) the domain name(s) operated by the natural or legal person to whom the certificate is issued;

(f) details of the beginning and end of the certificate’s period of validity;

(g) the certificate identity code, which must be unique for the qualified trust service provider;

(h) the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;

(i) the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (h) is available free of charge;

(j) the information, or the location of the certificate validity status services that can be used to enquire, about the validity status of the qualified certificate”

It´s forbidden for web browsers to implement any measures contrary to their obligations on acception of QWAC given in the regulation. What`s interesting is the regulation regarding security breaches. So gives eIDAS 2.0 the web browsers the explicits option to act in case they identify security breaches with any QWAC. Art. 45a-1 paragraph 2 defines “only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates.”
The only obligation is to collaborate with European Commission as well as relevant National Supervisory Body of affected QTSP (Art. 45a-1 Nr. 3) — so quasi requirement of responsible disclosure in the law. This means eIDAS 2.0 establish an additional security control for QWAC — the web browsers themselves, so those ones which have to accept the QWAC.

Conclusion

eIDAS 1 and 2 defined a coherent trust framework in Europe where law and technical standards interacts in comprehensive manner. The aim was to ensure data sovereignity, proven security and privacy for European citizens and companies. With eIDAS 2.0 the binding character especially of technical standards will increase as for all subjects (eID Schemes, EUDIW, trust services) mandatory implementing acts are foreseen in the regulation. eIDAS also ensured a well-balanced interaction between private parties (QTSP, CAB) and public authorities (National Cybersecurity Authority, National Supervisory Body and National Accredition Body). This distribution of tasks ensures the establishment of trust chain to always trusted 3rd parties which on one hand control each other and on other hand have to interact with each other while avoiding conflict of interests through clear segregation of duties. So e.g. there´s no RootCA of any QTSP which is run by 3rd party government authority, no government except the National Supervisory Body in case of security breach of QTSP, has the possibility to intervene in the action of QTSP etc.
There´s no trust by default in Europe, only by proof done by trusted 3rd party. Trust is given by law of democratically elected parliaments, executed by demcratic governments and provable via independent courts based on State of the Art technical standards referenced in implementing acts resp. developed by mandated European Standardization Bodies (M460 resp. Vienna Convention) — whose (standards) utilization have to made evident in case of burden of proof.

The requirements on (qualified) trust services also increased as they will become de facto part of critical infrastructure because of the entanglement of eIDAS 2.0 and NIS2 Directive. With the additional reference to Cybersecurity Act and its certification schemes the complexity of conformity assessments for QTSP will extensively increase. The mentioned mandatory implementing acts will in parallel support the harmonisation of requirements on conformity assessment between the Member States.

Any QTSP will still have the obligations mentioned in section “eIDAS Trust Framework” of this paper — so e.g. full liability, mentioning security issues within dedicate time, conformity assessment by independent CAB every 2 years, supervision by National Supervisory Body and transparently listed in national and European TrustList. Regarding transparency it would be meaningful if the conformity assessment reports would be available via the TrustList — so e.g. attached to the dataset of each listed QTSP or EUDIW. This would support transparent security and competition on best security level of QTSP as well as Relying Parties in a well-grounded choice of which QTSP they choose for their business (this would not affect the obligations for acception certain products of QTSP but the utilization of QTSP for e.g. using signatures, seals, timestamps, QWAC etc. for the daily business of Relying Parties).

In the context of QWAC it has to be mentioned that asimilar trust framework does not exist for the governance given by Non-European Browsers. It´s comprehensible that any legal obligation to accept certificates from parties which were not certified acc. browser governance, so quasi certificates the browsers can`t control, definitely lead to increased effort for browsers. On the other hand nothing of the requirements given by eIDAS as described in the sections before applies to the governance of Non-European Browser, means the risk is fully taken by the user and the user fully depends on governance of private companies instead of framework determined by European law, democratically legitimated governments and provable European standards. This means also that in opposition to QTSP no Non-European browser takes full liability by law in case of security issues or has to obligation to mention security breaches within dedicated time to a defined regulative authority. Also it has to be mentioned that there`s no conformity assessment by CAB accredited by independent 3rd party which proofs not only the security, business continuity or service management but also compliance to GDPR and so privacy of European citizens. Last but not least the obligatory termination plan als well as the obligation to publish the main policies for each QTSP should be mentioned which ensures long-term security but also transparency for user of QTSP.

Non-European Browsers have their own governance like given by C/A-Browser Forum but it`s private one defined by the browsers themselves which means practically that the browsers de facto control themselves and not an independent 3rd party like e.g. a CAB or government authority like in eIDAS trust framework. So it´s more risk based approach instead of trust on government authorities and protection or mitigation of possible risks in advance — so classical difference between common law (US/UK) and civil law (EU). The eIDAS trust framework is based on trust in government, instead of private companies — if you don`t trust in government, you won`t trust eIDAS. So it`s not the question QWAC or not QWAC but the question of trust or distrust in European government. But following questions from European perspective remain: What makes Non-European Browsers trustworthy? Why should Europe trust in Non-European Browsers instead of fully liable QTSP certified by accredited CAB based on European Standards developed by independent European experts, supervised by democratically legitimated governments and based on European regulation released by democratically elected parliament which can be proven by independent national or European courts? The answers to those questions will be part of a next paper.

Sources:

I. Alamillo, S. Schwalm: Self-Sovereign-Identity & eIDAS: a Contradiction? Challenges and Chances of eIDAS 2.0. in: European Review of Digital Administration & Law — Erdal 2021, Volume 2, Issue 2, pp. 89–108

Basics of Digital Signature Techniques and Trust Services. Federal Office for Information Security. Version 2.0, Berlin 2023.

Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (Analysis of the final compromise text with a view to agreement). Brussels. 10.11.2023

REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014. on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

COMMISSION IMPLEMENTING REGULATION (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

Regulation (EU) 2016/ 679 of the European Parliament and of the Council — of 27 April 2016 — on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (General Data Protection Regulation). GDPR, 2016

Trust Service Providers

This web page collects together sources of information on Certification Authorities (CAs) and other Trust Service…

portal.etsi.org

ETSI EN 319 102 Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation

ETSI EN 319 401 General Policy Requirements for Trust Service Providers

ETSI EN 319 411 Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements

ETSI EN 319 411 Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates

ETSI EN 319 411 Policy and security requirements for Trust Service Providers issuing certificates. Part 4: Checklist supporting audit of TSP against ETSI EN 319 411–1 or ETSI EN 319 411–2

ETSI EN 319 412 Certificate Profiles; Part 4: Certificate profile for web site certificates issued to organisations

ETSI EN 319 421 Policy and Security Requirements for Trust Service Providers issuing Time-Stamps. Electronic Signatures and Infrastructures (ESI);

ETSI TS 119102–1 Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation, 2018.

ETSI TS 119 312 — Cryptographic Suites. 2019

ETSI TS 119 612 v2.2.1 Trusted Lists

S. Schwalm: The (not only) social impact of the eIDAS 2.0 digital identity approach in Germany and Europe: in: CRYPTOASSETS, DEFI REGULATION AND DLT: Proceedings of the II Token World Conference DERECHO DE BLOCKCHAIN Y DIGITALIZACIÓN DE LA SOCIEDAD PRINTED TITLES

T. Vogt, T. Kusber, S. Schwalm: Die Bedeutung der eIDAS-Verordnung für Unternehmen und Behörden Neue Chancen und Herausforderungen für vertrauenswürdige elektronische Geschäftsprozesse in Europa. Berlin 2015

Guideline for digital signature-, seal- and timestamp formats as well as technical evidence data (Evidence Record) V1.0, Federal Network Agency. 2020

A. Zaccaria, M. Schmidt-Kessel, R. Schulze, A. M Gambino: EU eIDAS-Regulation: Article-by-Article Commentary. Brussels 2020.

COMMISSION IMPLEMENTING DECISION (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

http://science2society.eu/content/stork-20

eIDAS und der ECM-Markt Elektronische Identifizierung und Vertrauensdienste als Chance für die Digitalisierung. BITKOM 2020.;

D. Huehnlein, J. Schwenk, T. Wich: Moderne Vertrauensdienste für vertrauenswürdige Transaktionen: Ergebnisse des Forschungsprojektes “FutureTrust”. Springer April 2019. Datenschutz und Datensicherheit — DuD 43(4):214–219.

M. Weber, T. Vogt, W. Krogel, S. Schwalm: Records Management acc. ISO 15489. Introduction and Guideline. Berlin 2018

U. Korte, D. Hühnlein, D, S. Schwalm: Standards for the preservation of evidence and trust. Proceedings Archiving 2014, Springfield 2014, S. 9–14.

U. Korte: Criteria for trustworthy digital transactions (49–60), U. Korte, K. Shamburger, T. Kusber, S. Schwalm: Records Management and Long-Term Preservation of Evidence in DLT. In: Roßnagel, H., Schunck, C. H. & Mödersheim, S. (Hrsg.), Open Identity Summit 2021. Bonn: Gesellschaft für Informatik e.V.. (131–142)

U. Korte. et al.: Vertrauenswürdiges E-Government -Anforderungen und Lösungen zur beweiswerterhaltenden Langzeitspeicherung, 2018

UN United Nations Commission on International Trade: UNCITRAL model law on electronic transferable records. United Nations, New York, 2017.

Eidas
Trust Service Provider
Trust Service
Schwalm Steffen

Written by Schwalm Steffen

25 Followers

https://www.linkedin.com/in/steffen-schwalm-a383b8112/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams