Thoughts on the EU's QWAC Proposal

I was recently listening to Security Now!’s coverage of the EU’s QWAC proposal. There’s much debate regarding the EU’s role in the global PKI ecosystem, when it dawned on me there’s a far simpler solution that should (hopefully) address everyone’s concerns.

Instead of operating a root CA, the EU should operate a Certificate Transparency Log.

Let me explain. The Certificate Transparency system was envisioned to countersign existing certificates, ensuring that the certificate’s issuance was included in a public log. The result is the body of the certificate (i.e. subject, public key, etc) is signed by both the CA and the CT Log. Certificate can (and often do) have multiple CT Log signatures.

What I’m proposing is the EU operate their own CT Log server. But unlike standard CT Log servers which will sign any certificate sent their way, the EU would only countersign certificates that meet the QWAC requirements. For example, ensuring that the subject fields (name, address, etc) are valid and the authenticity of the requestor is confirmed.

The basic flow would be: (1) User submits a CSR to their preferred CA; just like they always do. (2) The CA performs their standard domain name and OV/EV verification. (3) User is redirected to an EU-managed portal to further complete their QWAC verification. (4) Once both the CA and EU are satisfied, then the CSR is signed by the CA and a CT Log signature is added by the EU.

The benefits: The EU no longer operates a root CA that’s globally trusted, the EU’s approval of a certificate is as cryptographically secure as if they ran their own root CA, existing applications continue uninterrupted (since this is just another CT signature), the existing CT Log ecosystem also continues on (as they can still add additional countersignatures to QWAC certificates), and client-side QWAC verification can now be accomplished either by the browser natively or via a browser plugin (effectively offering an opt-in option).

Standard caveat, the above is my personal opinion and does not represent anyone else’s opinion/position.

This post originally appeared on Mastodon.