eIDAS QWAC Validator

The add-on validates whether the TLS certificate of visited websites is a ‘qualified web-access certificate’ (QWAC – conforming with ETSI EN 319 412-4), issued by a CA published in European Trust Lists for qualified electronic trust service providers, pursuant to Regulation (EU) № 910/2014 “eIDAS”.

The add-on shows a greyed-out EU logo at the right of the address bar. Clicking on it, European Commission's TL-Browser API (released under a GNU Lesser General Public License) is queried about the qualification status of the website's TLS certificate. The query results in the icon either turning to EU colours, confirming that is a valid QWAC, or being slashed in red otherwise.

Personal data processed by the add-on are the client's IP address, as well as the URL and TLS certificate of visited websites, as technical requirements to communicate with the aforementioned API. However, no personal data is processed whatsoever, unless the user explicitly consents to the privacy policy presented upon installation of the add-on. The consent may be retired and given back at any later time, via Firefox's configuration UI.

The address-bar icon may also include a red exclamation point in case the website cannot be authenticated a priori (e.g., missing, expired, or revoked TLS certificate), or the privacy policy has not been currently given consent to.

The add-on may outcome to false negatives in case the X.509 certificate uses non standard, yet legal, metadata (OIDs) in order to “self-qualify” itself. To such extent, the absence of qcStatements conforming to ETSI EN 319 412-5, immediately produces a negative result, without any API communication whatsoever.