<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Judith –<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The text in question allows a CA to look at a third-party cert associated with a signature and, if it’s issued under an approved framework, the CA can accept the individual identity attributes in the cert as verified.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When the BR was published it laid out acceptance criteria in 3.2.4.1 (4) (b) – but purposefully did not name any approved frameworks in 3.2.4.1 (4) (a) following a decision by the working group that each such framework should be the subject of a separate ballot. The current draft is an effort to “test” that process.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>See more at <a href="https://github.com/cabforum/smime/blob/main/SBR.md#3241-attribute-collection-of-individual-identity">https://github.com/cabforum/smime/blob/main/SBR.md#3241-attribute-collection-of-individual-identity</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best, Stephen<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'>From:</span></b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'> Judith Spencer <Judith.Spencer@certipath.com> <br><b>Sent:</b> Thursday, April 25, 2024 11:21 AM<br><b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org><br><b>Subject:</b> RE: [External] [Smcwg-public] Draft proposal to add eIDAS QES as vetting evidence for individual<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:12.0pt'>Stephen<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>My primary concern with the proposed change is that once it finds it’s way into the BR, anyone not in the EU will be eliminated from trusting existing digital signatures as evidence. For example, here in the U.S., the U.S. Government has an extremely robust digital credential based on a full background check that is independently assessed and accompanied by reams of documentation, regulation and policy. Over 7 million individuals hold these credentials. But by this policy, signatures from this community would not be sufficient as evidence. The CertiPath community, comprised of major Aerospace Corporations, would likewise be eliminated. While we don’t employ the same level of background checks in our identity proofing, it is certainly based on sound practice and audited annually under WebTrust for CA, which may not be a “national scheme” but is certainly a robust review process widely recognized in the U.S. and Canada. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Unless you are prepared to identify schemes that cover all other regions of the world, I believe it is too early to make this change. As a compromise, I suggest you could identify eIDAS as the qualifying scheme for Europe and remain silent on the rest of the world. I recommend you revise the opening as follows:<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Segoe UI",sans-serif;color:#1F2328;background:white'>“If a digital signature is to be used as evidence <u>in the European Union</u>, the CA or RA SHALL only rely upon the following certificate type:”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Once sufficient assessment has taken place to include all participating regions, the language could be further modified as you suggest. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Judy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'>Judith Spencer | PMA Chair | CertiPath, Inc.<o:p></o:p></span></b></p><p class=MsoNormal><span lang=IT style='font-family:"Calibri",sans-serif;mso-ligatures:none'>1900 Reston Metro Plaza, Suite 303, Reston, VA 20190<o:p></o:p></span></p><p class=MsoNormal><b><span lang=IT style='font-family:"Calibri",sans-serif;mso-ligatures:none'>PH</span></b><span lang=IT style='font-family:"Calibri",sans-serif;mso-ligatures:none'> +1.301.974.4227<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'>Email</span></b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'> <a href="mailto:Judith.Spencer@CertiPath.com"><span style='color:#0563C1'>Judith.Spencer@CertiPath.com</span></a> <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'>From:</span></b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br><b>Sent:</b> Wednesday, April 24, 2024 8:06 PM<br><b>To:</b> <a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a><br><b>Subject:</b> [External] [Smcwg-public] Draft proposal to add eIDAS QES as vetting evidence for individual<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hello all:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>As discussed today, here is draft language for consideration to allow CAs to rely upon signatures created with eIDAS Qualified certificates as evidence supporting validation of individual identity.<o:p></o:p></p><p class=MsoNormal><a href="https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md">https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’d be grateful for feedback on this language.<o:p></o:p></p><p class=MsoNormal>Best, Stephen<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>