Podcast
Root Causes 539: What Is the Two-QWAC Architecture?
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
October 22, 2025
A new kind of eIDAS QWAC (Qualifieid Website Authentication Certificate) is on the way. The "two-QWAC architecture" introduces a second certificate containing organization information to be displayed by the browser, to sit alongside but independent of the certificate that authenticates a domain. We explain what's coming and why.
Podcast Transcript
Tim CallanSo, Jason, I've got an eIDAS joke for you.Jason SorokoThose are the best jokes.Tim CallanWhen's the last time we had a good eIDAS joke. Ready? Okay. Quack, quack, what am I?Jason SorokoTell me, Tim,Tim CallanI am the two-QWAC architecture.Jason SorokoTwo-QWAC architecture.Tim CallanI am not a duck. Okay? What is the two-QWAC architecture? So, QWAC, Q-W-A-C is the eIDAS web server certificate. And this is part of the eIDAS standard. It's one of the types of certificates you can obtain. It's one of the things that can be offered by a TSP. We are a TSP, for example. We offer QWACs. A lot of people do. A lot of traditional CA/Browser forum, WebTrust CAs, are also TSPs. And then there's TSPs that aren't WebTrust CAs, and, that's kind of complicated world. But a TSP, a trusted service provider, is someone who can issue a variety of eIDAS certs including a QWAC. QWAC is an awful lot, just like an OV SSL certificate. All well and good. Okay?
Now - there has been a multi-year discussion between the EUs and the browsers and ETSI, and it has resulted in the going forward plan, which is called the two-QWAC architecture. And the basic idea here is that the EU wants there to be a way for a consumer to get information about the organization that operates the website that it's going to. This is like an old, a pre-five years ago, EV kind of philosophy. Remember the green address bar?Jason SorokoYes, sir.Tim CallanThat kind of philosophy where organization details will be available. The browsers are going to need to be able to provide that. That's European law. As part of the eIDAS 2. Now, how is that going to happen? So the implementation that we're expecting, and this is very important, as there's going to be what we call the two certificate or two-QWAC architecture. And what this is, is it’s a decoupling of domain validation with organization validation. So right now they exist in the same cert. You can get an OV cert, and there's a cert it has org details and it's validated to a domain or a set of domains. You can get an EV cert and it has org details and it is also validated to a set of domains. Now imagine if we break those out with two separate certs. One of them is just a DV cert. Just a DV cert, just like we're all used to. The other one is a set of org details in an authentication cert, which is a cert that doesn't connect to a domain at all and simply vouches for the set of information about an organization.
So let me pause there.Jason SorokoTim, my first question, how are they bound?Tim CallanThey're not. They are independent. So the you will need a DV cert, or it won't work. Just as you do today. You can get an optional organization authentication cert, and in the event that that cert is present, there will be a consumer visible interface - the details of which are not clear. Won't necessarily be a green address bar, but there will be a consumer visible interface that will present those details for the consumer to view if they want to.Jason SorokoI think it's a good idea to separate because of the fact that having, the equivalent of EV/OV information within different validation types, the way we do things today in traditional publicly trusted certificates, it means you might need a bunch of cert types, and, having to pay for organizational validation more than once, essentially because you're buying more than one certificate at a higher price. This is a way around that. I think that it normalizes the cost of doing the OV information the one time, rather than spreading it out over a larger amount of expense. Was that the main reason for it, or what? In other words, to me, that's the main reason you would do it.Tim CallanSo, the EU has been very clear that this is a capability it wants to give to subscribers and the relying parties. That it wants relying parties to be able to go to a website and see this information, and presumably in the event of websites that don't present this information, it wants relying parties to be able to vote with their feet. Say if you're not going to tell me who you are, I'm going to go shop over here where somebody does. And it's very focused on the consumer protection aspect of this because it's Europe. So, of course. It’s much more philosophically, it's much more focused on consumer protection and citizen protection. And you see that at work here.
The decoupling of the two was a suggestion that came up during this process, and I think it, one of the arguments certainly is that it allows our DV certs to essentially remain unchanged. And so this DV model that we have that's technically and procedurally very, very proven doesn't get completely disrupted. And I think this is kind of a compromise. The thing they say about compromise is, everybody is unhappy. I think this is kind of a compromise in that, we've seen lots and lots and lots of public sentiment from browsers, especially Chrome, saying that they do not care for or want this green bar style information. They've been out at design conferences, giving papers and all that stuff that were maybe five, four or five years ago, that was the big push is get the UX people out there at these conferences explaining why we're getting rid of the indicators. So you see philosophically that there's a lot of UX people at major browsers that don't really want these indicators and left to their own, they wouldn't have them because we saw what happened when they were left to their own. They didn't have them. But then you have these members of the EU government that are equally committed, that they have to provide this to their citizens.
So this was a suggestion that I think everybody could live with, where subscribers have the option of presenting this information. Now I think that'll be what's interesting to see, because back in the early days of the green address bar, there was research. People would actually measure, tick rates, click rates, site times, time on site, between green bars and not green bars, and there were a very variety of ways you could do that, and you very consistently saw that consumers rewarded the green address bar with more interaction with the site, which became a compelling indicator to the people who made these sites to say, this is something that people who visit my site want, or at minimum, this is something they respond well to. And then that became reason enough for them to do it. But that was a very different time. And it was very different UX kind of standard, but also it was the late 2000s. So what a consumer, what your typical user of online shopping or online banking did in 2008 might not tell us what's going to happen now. But it certainly is possible that the people who operate sites reason the exact same way. They're like, You know what? I really am, Bank of Whoever, and, Bank of Montenegro, and I want people to know that, and I provide them with better security, and maybe also they know I provide them with better security and they're more likely to bank on my system, they do more transactions there, and less time walking into a branch or apply for more credit cards or whatever it is. And so they might be very well motivated to provide that information on the site. And since it will be optional, since a website doesn't have to include this, they're going to have to have motivations to include it.
So if they do that, if the websites really do say I'm motivated to include this, I'm going to put this on my site because security is better, or because confidence is better, then that gives the EU what they want, which is that the citizens have this information.
If they're not motivated to do that - because they're going to have to, there's going to be extra expense or extra effort involved in having this authentication cert and they don't actually it doesn't affect their bottom line - then I predict that they won't, and the EU won't get what wants. And either way, the browsers get what they want, which is that their DV certs remain essentially unchanged. And so this is kind of a big deal. We don't talk about it very much, but we're talking about a change, a very basic change, to the architecture of a publicly trusted Web server certificate that's more fundamental than anything we've seen since the advent of DV certs in my opinion. It's a very big architectural change.Jason SorokoIt's interesting. We should probably have a podcast at some point in the future about ways in which there is a split much more than there was in the past, where quite often it's Europe going off and doing its own thing.Tim CallanWe've seen a lot of that. We've talked a lot about this very proactive, assertive Europe that is using the power of law to force behaviors out of tech companies, mostly big American tech companies, that they otherwise would not want to do. Probably the best example of that is GDPR. How GDPR, European law has changed everybody's behavior globally.Jason SorokoThat's the one.Tim CallanAnd the eIDAS 2.0 wallet is another very interesting example of that, quite possibly. Still kind of in the future but this two certificate architecture could be really big now.
Now, of course, European law only has power in Europe. So hypothetically, so for instance, you don't have to do this in the get off my lawn browser, unless you start making it available to Europeans.Jason SorokoThat’s correct. That's correct.Tim CallanBecause they have no power over you. So one of the possibilities - which I think is not likely - is that you see versions of browsers. So you see a European version that has this, that displays this cert, and an American version that doesn't.
There's a lot of reasons why that is not a great solution. It adds a lot of overheads and complexity and risk and just all kinds of stuff that you don't really want if you're a manufacturer of a major browser and if you feel like you're going to be better off with one version everywhere, you could see that being happening. But if that happens, now this becomes interesting, because now let's say I'm a North American online retailer, and I'm of the opinion that people will purchase more from me, if my store details are there. Fine. I can go buy a QWAC.
I can get that in North America. So that could be an interesting way that, call it green bar 2.0m which isn't necessarily green and isn't necessarily a bar, but that green bar 2.0 creeps back into the global website community.Jason SorokoVisual elements on a web browser coming back.Tim CallanVisual elements on a web browser coming back indicating the organization that operates an online property, which goes all the way back to the beginning. That's very 1995.Jason SorokoAbsolutely.Tim CallanAnd so, it's not clear how it's all going to play out. One possibility is nobody gets them, nobody uses them, nobody cares. Could happen. Another possibility is that a significant, a non-trivial number of the people who operate web properties believe that there is a greater than zero benefit to security or transactions or customer sat or something, that the investment is low, that implementing the certs is easy, and that we just need to shut up and do it. And you could see a whole bunch of it. Could see it everywhere. It could become the de facto norm. And if you don't have it, you look like there's something wrong with you. So there's a huge range of possible outcomes here, and I'm going to be fascinated to see how this develops.Jason SorokoIt will be interesting. I think people vote with their dollars every day when they go out and buy an EV cert right now. People are obviously seeing a greater than zero value with that.Tim CallanWell, I mean, this is the thing. I would contend that the reason they're buying an EV cert today is more habit than anything else. However - five years ago? Yes.
And the question there is like, if you go back in time, if you imagine in making up a date, 2017. If you were buying an EV cert, you did it because you were of the belief, whether or not you were measuring it anymore at that date in history, you were of the belief that it translated to one of these things - greater security, greater customer satisfaction, or greater transactions. One of those things you believed was happening. That's why you would bother with it. Again, I bet you that by that date in history, most people weren't measuring it. Supposedly back in 2009 when they were because they want to know if it mattered.
Now if it comes back, it'll be interesting to see if that sort of thinking returns and suddenly we start seeing authentication certificates again.Jason SorokoI think leaving it to Google who has vested interest to not have it, and they've stated why.Tim CallanGoogle definitely, clearly doesn't want it. Like that's just in their behavior, just seeing the products they've released.Jason SorokoExactly right. But on the other hand, it's interesting that it took the Europeans to be like, you know what, we're gonna mandate it, to have it back.
And I find it interesting that it's also not shoved down on anybody's throat. It is optional. And as you've said, we'll see what happens.Tim CallanWe'll see what happens. I think it's gonna be fascinating. I'm also not clear on how straightforward that will be. You certainly could have two clusters, and one could have this kind of one certain the other couldn't. You could do it. It'll be interesting to see if anybody does, and if they actually can say how the behavior is different.Jason SorokoWe'll see Tim.Tim CallanWe'll see.Jason SorokoWell, thanks for bringing it up.Tim CallanSo anyway, quack, quack.Jason SorokoQuack, quack. Thanks.Tim CallanOkay.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
