[Smcwg-public] [External] Draft proposal to add eIDAS QES as vetting evidence for individual
Judith Spencer
Judith.Spencer at certipath.com
Thu Apr 25 14:20:41 UTC 2024
Stephen
My primary concern with the proposed change is that once it finds it's way
into the BR, anyone not in the EU will be eliminated from trusting existing
digital signatures as evidence. For example, here in the U.S., the U.S.
Government has an extremely robust digital credential based on a full
background check that is independently assessed and accompanied by reams of
documentation, regulation and policy. Over 7 million individuals hold these
credentials. But by this policy, signatures from this community would not
be sufficient as evidence. The CertiPath community, comprised of major
Aerospace Corporations, would likewise be eliminated. While we don't employ
the same level of background checks in our identity proofing, it is
certainly based on sound practice and audited annually under WebTrust for
CA, which may not be a "national scheme" but is certainly a robust review
process widely recognized in the U.S. and Canada.
Unless you are prepared to identify schemes that cover all other regions of
the world, I believe it is too early to make this change. As a compromise,
I suggest you could identify eIDAS as the qualifying scheme for Europe and
remain silent on the rest of the world. I recommend you revise the opening
as follows:
"If a digital signature is to be used as evidence in the European Union, the
CA or RA SHALL only rely upon the following certificate type:"
Once sufficient assessment has taken place to include all participating
regions, the language could be further modified as you suggest.
Judy
Judith Spencer | PMA Chair | CertiPath, Inc.
1900 Reston Metro Plaza, Suite 303, Reston, VA 20190
PH +1.301.974.4227
Email <mailto:Judith.Spencer at CertiPath.com> Judith.Spencer at CertiPath.com
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen
Davidson via Smcwg-public
Sent: Wednesday, April 24, 2024 8:06 PM
To: smcwg-public at cabforum.org
Subject: [External] [Smcwg-public] Draft proposal to add eIDAS QES as
vetting evidence for individual
Hello all:
As discussed today, here is draft language for consideration to allow CAs to
rely upon signatures created with eIDAS Qualified certificates as evidence
supporting validation of individual identity.
https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md
I'd be grateful for feedback on this language.
Best, Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240425/ae7b07cc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8896 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240425/ae7b07cc/attachment-0001.p7s>
More information about the Smcwg-public
mailing list