Why replace SSL RGS* with eIDAS QWAC?
European Regulation No. 910/2014, known as "eIDAS" (Electronic IDentification, Authentication & Trust Services), laid the foundations for European harmonization in terms of certification. Its objective was to replace the standardization of each member state and in particular the RGS in France (created in 2005, revised in 2014 and then in 2020).
eIDAS version 2 was adopted by the Council of the European Union in March 2024. See http://data.europa.eu/eli/reg/2024/1183/oj.
What's new ?
This regulation strengthens certain services, in particular it structures the future European digital identity wallet ("EUDI Wallet"). In addition, its article 45 strengthens the recognition of QWACs (Qualified Certificates for Website Authentication), highly secure SSL certificates that web browsers will have to recognize. They will also have to offer a clear display of the certified data.
Indeed, consideration № 65 clarifies that "The issuance of website authentication certificates is intended to provide users with a high level of confidence as to the identity of the entity behind that site […]".
And specifies that "In order to further protect Union citizens and Union residents and to promote the use of qualified website authentication certificates, public authorities in the Member States should consider integrating qualified website authentication certificates into their websites."
What does it mean?
It seems to us that the will of the legislator is clear: to make QWAC the highly secure SSL certificate product used by public authorities in European countries. It is therefore predictable and expected that the latest SSL products on the national recognition lists (including the French RGS SSL) will be deprecated and replaced.
In addition, and very concretely, the procedures for issuing QWAC certificates are significantly more secure than those of the ancient RGS SSL. Since the RGS procedures are outdated, many public entities ignore them and prefer certificates without any authentication (DV).
TBS's position
Considering these elements, TBS has decided to recommend the use of QWAC certificates to French public entities.
Which product can replace the RGS* SSL certificate?
We recommend Sectigo QWAC products which have recognition in all web browsers and EU TSL recognition.
The products:
Bonus: These products can be reissued at anytime during their lifetime, unlike RGS products, which when they can be reissued, can only be reissued during the 3 months following their delivery. In addition, it is possible to modify the list of SANs of QWAC products via reissuance. Something also impossible for RGS products.
Sectigo QWAC products are in the TSL and are therefore Chorus Pro compatible.
How does the audit procedure differ?
The audit procedure is based in particular on a video phase, replacing a possible physical face-to-face meeting, which is often difficult to set up.
Similarly, the Sectigo QWAC audit process is based on the EV audit process. It benefits from:
- online signing of the subscription contract
- online transmission of identity documents
- online verification of identity photos
Want to test how a Sectigo QWAC certificate works? TBS has installed one of these certificates on its authority website, see sectigo.tbs-certificats.com.