The Markets for Website Authentication Certificates & Qualified Certificates Clara Galan Manso European Union Network and Information Security Agency
Summary 01 Contents of the study 02 Market analysis 03 Recommendations 2
ENISA study on QWACs
Content of the study 1. Introduction to website authentication certificates (WACs) 2. Introduction to trust services in the eidas Regulation 3. Qualified website authentication certificates (QWACs) in the context of eidas and existing types of certificates 3. Market characterization 4. SWOT analysis 5. Recommendations for the introduction in the market of QWACs 4
Market analysis
The market of qualified providers There are 146 providers in Europe issuing qualified certificates (November 2015) They are mostly nationally oriented The characteristics of market players differ among Member States At least half of the providers issue publicly trusted website authentication certificates 6
The market of qualified providers Member state TSPs in the trusted list Member state TSPs in the trusted list Austria 3 Italy 30 Belgium 3 Latvia 1 Bulgaria 5 Lithuania 3 Cyprus 0 Luxembourg 1 Croatia 1 Malta 0 Czech Republic 3 Netherlands 8 Denmark 0 Poland 6 Estonia 1 Portugal 8 Finland 1 Romania 5 France 12 Slovakia 5 Germany 11 Slovenia 5 Greece 5 Spain 24 Hungary 3 Sweden 1 Ireland 1 United Kingdom 0 7
The market for website authentication certificates Very concentrated in a few commercial entities (Four companies have 90% of the market for EV certificates) The market is global and companies offer services worldwide (most of the companies are US based) None of the main players have entered the qualified market 8
The market for website authentication certificates: Geographic distribution per market presence COUNTRY AUTHORITIES CERTIFICATES HOSTS United States 30.3% 77.6% 75.6% United Kingdom 3.3% 10.9% 18.2% Belgium 2.7% 3.3% 1.5% Israel 1.6% 2. 6% 0.9% Netherlands 2.2% 1.3% 0.5% Japan 3.4% 1.1% 1.2% Germany 21.3% 0.9% 0.4% France 4.0% 0.4% 0.1% Australia 0.8% 0.3% 0.1% Korea 1.4% 0.2% 0.1% Geographic distribution of top 10 countries issuing trusted certificates, 2013 Source: http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericaemb.pdf 9
The market for website authentication certificates: Geographic distribution per browser certificate list Percentage of TSPs per region in Windows root certificate program Africa 4% Americas 23% Percentage of TSPs per region in Mozilla Included TSP certificate list Americas 29% Europe 54% Europe 48% Asia 18% Australia 1% Asia 23% 10
Recommendations
Short-term Strategies I. Increase the number of websites using WACs in Europe Help end users and website owners understand the role WACs. Communicate more clearly the differences among types of WACs. II. Establish a market for QWACs Encourage EU public administrations to lead adoption. Encourage QTSPs to provide a full range of trust services. III. Align existing regulatory and industry led initiatives Take into account existing industry led initiatives. 12
Medium-term Strategies IV. Increase recognition of QWACs by end users Promote the acceptance of QWACs by browsers. Support the recognition of the EU trust mark. V. Strengthen the market position of QTSPs Promote cooperation among QTSPs. Incentivize QTSPs to expand beyond national markets. VI. Substantially increase the market share of QWACs Communicate to businesses the benefits of the legal framework. Promote the use of QWACs by specific critical sectors. 13
Long-term Strategy VII. Make QWACs the reference for high quality globally Promote the recognition of QWACs outside of the EU as a highquality product. 14
ENISA study on qualified website authentication certificates: Promoting consumer trust in the website authentication market https://www.enisa.europa.eu/activities/identity-andtrust/library/deliverables/qualified-website-authenticationcertificates/ 15
Clara Galan Manso clara.galanmanso@enisa.europa.eu http://www.enisa.europa.eu/