Qualified website authentication certificate
An ENISA report proposed six strategies and twelve recommended actions as an escalated approach that targets the most important aspects detected to be critical for improving the website authentication market in Europe and successfully introducing qualified website authentication certificates as a means to increase transparency in this market.
QWAC in the context of other standards
There are different types of website authentication certificates: Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV). Another distinction that can be made among types of website authentication certificates relates to the number of domains that are secured by the certificate: Single domain, wildcard, multi domain. Extended Validation certificates offer the highest quality in terms of assurance of the identity of a certificate owner among existing types of certificate in the market. Typically the use of an EV certificate is indicated by a green color – but this varies by browser.
The eIDAS Regulation has taken into account that there is an established market with its own industrial standardization efforts. The objective is not to create a disruption with existing initiatives and to optimize the effort for qualified providers to align both with the EU regulations and with the existing market standards.
In the eIDAS Regulation trust services are defined as electronic services, normally provided by trust service providers (TSPs), which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication.
In essence, the eIDAS Regulation provides a framework to promote:
- Transparency and accountability: well-defined minimal obligations for TSPs and liability.
- Guarantee of trustworthiness of the services together with security requirements for TSPs.
- Technological neutrality: avoiding requirements which could only be met by a specific technology.
- Market rules and standardization certainty.
Website authentication certificates are one of the five trust service defined in the eIDAS Regulation. Article 45 sets the requirement for trust service providers issuing qualified website authentication certificates of being qualified, which implies that all requirements for qualified trust service providers (QTSPs) described in the previous section will be applicable. Annex IV defines the content of qualified certificates for website authentication:
- An indication that the certificate has been issued as a qualified certificate for website authentication.
- A set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including the member state in which that provider is established and adequately to the situation
- for a legal person: the name and, where applicable, registration number as stated in the official records,
- for a natural person: the person’s name.
- For natural persons: at least the name of the person to whom the certificate has been issued, or a pseudonym. If a pseudonym is used, it shall be clearly indicated. For legal persons: at least the name of the legal person to whom the certificate is issued and, where applicable, the registration number as stated in the official records.
- Elements of the address, including at least city and state, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records.
- The domain names operated by the natural or legal person to whom the certificate is issued.
- Certificate’s period of validity.
- The certificate identity code, which must be unique for the qualified trust service provider.
- The advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider.
- The location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point 8 is available free of charge.
- The location of the certificate validity status services that can be used to enquire as to the validity status of the qualified certificate.
- QWAC certificate on enisa.europa.eu
- eIDAS Qualified Website Authentication Certificates on quovadisglobal.com
- Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
- "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
- Turner, Dawn M. "Trust Service Providers according to eIDAS". Cryptomathic. Retrieved 17 October 2017.