The European Commission is an EU legislative body with regulatory authority over digital technology. The EC’s eIDAS Article 45, a proposed regulation, would deliberately weaken areas of internet security that the industry has carefully evolved and hardened for over 25 years. The Article would effectively grant the 27 EU governments vastly expanded surveillance powers over internet use.
The rule would require all internet browsers to trust an additional root certificate from an agency (or a regulated entity) from each of the national governments of each one of the EU member states. For the non-technical readers, I will explain what a root certificate is, how internet trust has evolved, and what Article 45 does to this. And then I will highlight some of the commentary from the tech community on this matter.
The next section of this article will explain how the trust infrastructure of the internet works. This background is necessary in order to understand how radical the proposed Article is. The explanation is intended to be accessible to a non-technical reader.
The regulation in question addresses internet security. Here, “internet” means, largely, browsers visiting websites. Internet security consists of many distinct aspects. Article 45 intends to modify public key infrastructure (PKI), a part of internet security since the mid-90s. PKI has been at first adopted, and then improved over a 25-year period, to give users and publishers the following assurances:
Privacy of the conversation between the browser and the website: Browsers and websites converse over the internet, a network of networks operated by Internet Service Providers, and Tier 1 carriers; or cellular carriers if the device is mobile. The network itself is not inherently safe nor trustworthy. Your nosy home ISP, a traveler in the airport lounge where you are waiting for your flight, or a data vendor looking to sell leads to advertisers might want to spy on you. Without any protection, a bad actor could view confidential data such as a password, credit card balance, or health information.
Guarantee that you view the page exactly the way the website sent it to you: When you view a web page, could it have been tampered with between the publisher and your browser? A censor might want to remove content that they don’t want you to see. Content labeled as “misinformation” was widely suppressed during covid hysteria. A hacker who had stolen your credit card might want to remove evidence of their fraudulent charges.
Guarantee that the website you see is really the one in the browser’s location bar: When you connect to a bank how do you know that you are seeing the website of that bank, not a fake version that looks identical? You check the location bar in your browser. Could your browser be tricked into showing you a fake website that appears identical to the real one? How does your browser know – for sure – that it is connected to the correct site?
In the early days of the internet, none of these assurances existed. In 2010, a browser plugin available in the add-on store enabled the user to participate in someone else’s Facebook group chat in a cafe hotspot. Now – thanks to PKI, you can be pretty sure of these things.
These security features are protected with a system based on digital certificates. Digital certificates are a form of ID – the internet version of a drivers’ license. When a browser connects to a site, the site presents a certificate to the browser. The certificate contains a cryptographic key. The browser and the website work together with a series of cryptographic calculations to set up secure communication.
Together, the browser and the website provide the three security guarantees:
privacy: by encrypting the conversation.
cryptographic digital signatures: to ensure that the content is not modified in flight.
verification of the publisher: through the chain of trust provided by PKI, that I will explain in more detail below.
A good identity should be difficult to counterfeit. In the ancient world, a wax casting of a seal served this purpose. Identities for humans have relied on biometrics. Your face is one of the oldest forms. In the non-digital world, when you need to access an age-restricted setting, such as ordering an alcoholic beverage, you will be asked for a photo ID.
Another biometric from before the digital era was to match your fresh pen-and-ink signature against your original signature on the back of your ID. As these older types of biometrics become easier to counterfeit, human identity verification has adapted. Now, it is common for a bank to send you a validation code on your mobile. The app requires you to pass a biometric identity check on your mobile phone to view the code such as face recognition or your fingerprint.
In addition to a biometric, the second factor that makes an ID trustworthy is the issuer. IDs that are widely accepted depend on the ability of the issuer to verify that the person applying for an ID is who they say they are. Most of the more widely accepted forms of ID are issued by government agencies, such as the Department of Motor Vehicles. If the issuing agency has reliable means to track who and where its subjects are, such as tax payments, employment records, or the use of water utility services, then there is a good chance the agency can verify that the person named on the ID is that person.
In the online world, governments have, for the most part, not involved themselves in identity verification. Certificates are issued by private sector firms known as certificate authorities (CAs). While certificates used to be quite expensive, fees have come down considerably to the point where some are free. The best known CAs are Verisign, DigiCert and GoDaddy. Ryan Hurst shows the seven major CAs (ISRG, DigiCert, Sectigo, Google, GoDaddy, Microsoft, and IdenTrust) issue 99% of all certificates.
The browser will accept a certificate as proof of identity only if the name field on the certificate matches the domain name, which the browser shows in the location bar. Even if the names match, does that provide that a certificate saying “apple.com” belongs to the consumer electronics business known as Apple, Inc.? Identity systems are not bulletproof. Underage drinkers can get fake IDs. Like human IDs, digital certificates can also be fake, or invalid for other reasons. A software engineer using free open source tools can create a digital certificate named “apple.com” with a few Linux commands.
The PKI system relies on CAs to issue any certificate only to the owner of the website. The workflow to acquire a certificate goes like this:
The publisher of a website applies to their preferred CA for a certificate, for a domain.
The CA verifies that the certificate request comes from the actual owner of that site. How does the CA establish this? The CA demands that the entity making the request publish a specific piece of content on a specific URL. The ability to do this proves that the entity has control over the website.
Once the website has proven ownership of the domain, the CA appends a cryptographic digital signature to the certificate usings its own private cryptographic key. The signature identifies the CA as the issuer.
The signed certificate is conveyed to the person or entity making the request.
The publisher installs their certificate on their website, so it may be presented to browsers.