<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Adriano,<br>
<br>
eIDAS2 goes into effect May 20, 2024 and updates specific articles
of eIDAS1. The proposed changes to the SMBRs don't include specific
eIDAS articles.<br>
<br>
If you are concerned with the justification part of the ballot, we
could simply state "as amended by Regulation (EU) 2024/1183" which
covers all changes.<br>
<br>
I don't have a "codified" version of the eIDAS2 Regulation (that is
the final text of eIDAS1 including the changes from eIDAS2). If you
have such a version, it would help Stephen do a cross-check for any
deleted articles.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 30/4/2024 9:27 π.μ., Adriano Santoni
via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f2dafb65b-ed079939-c824-437f-8a08-42edb28e89d2-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p><font face="Calibri">I agree with Dimitris' suggestions, as far
as the eIDAS framework is concerned. </font></p>
<p><font face="Calibri">In the meantime, let's note that t</font>oday
eIDAS2 was published in the EU Official Journal as Regulation
(EU) 2024/1183 amending the old eIDAS (Regulation (EU) No
910/2014), and some of the original articles have been deleted,
so if we intend to insert references to some of the Regulation's
articles in the SMBR we should take care to mention the right
ones :)</p>
<p>Adriano</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 29/04/2024 18:55, Dimitris
Zacharopoulos (HARICA) via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f2ac82989-d0dc56df-6b57-42ca-ade1-b29c429c2344-000000@email.amazonses.com">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is
<a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:0100018f2ac82989-d0dc56df-6b57-42ca-ade1-b29c429c2344-000000@amazonses.com"
moz-do-not-send="true">0100018f2ac82989-d0dc56df-6b57-42ca-ade1-b29c429c2344-000000@amazonses.com</a>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
Hi Stephen, <br>
<br>
After some internal review and based on the fact that eIDAS
supports identity proofing for natural persons AND legal
entities, I have some suggestions. <br>
<br>
In 3.2.4.1 (4) which is related to "Attribute collection of
individual identity": <br>
<br>
From: <br>
<br>
<i>eIDAS Qualified: The CA MAY rely upon a signature created
using a Qualified Electronic Signature Certificate issued by a
trust service holding the "<a
href="http://uri.etsi.org/TrstSvc/Svctype/CA/QC"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/Svctype/CA/QC</a>"
service type and the "<a
href="http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</a>"
status on an EU Trusted List. The "GRANTED" status must be
effective at the time of signing (if the signature is
associated with a Qualified time stamp) or at the time of
validation (if the signature is not associated with a
Qualified time stamp). The signature certificate SHALL include
the <code>esi4-qcStatement-6</code> Qcstatement as specified
in clause 4.2.1 of ETSI EN 319 412-5 incorporating the <code>id-etsi-qct-esign</code>
QcType as specified in clause 4.2.3 of ETSI EN 319 412-5.</i>
<br>
<br>
To: <br>
<br>
<i>eIDAS Qualified: The CA MAY rely upon a <b>digital</b>
signature created using a <b>Qualified Certificate for
Electronic Signatures</b> issued by a trust service <b>provider</b>
holding the "<a
href="http://uri.etsi.org/TrstSvc/Svctype/CA/QC"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/Svctype/CA/QC</a>"
service type</i> <i><b>with extension <a
class="moz-txt-link-rfc2396E"
href="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures"
moz-do-not-send="true">
"http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures"</a>,</b></i>
<i>and the "<a
href="http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</a>"
status on an EU Trusted List. The "GRANTED" status must be
effective at the time of signing (if the signature is
associated with a Qualified time stamp) or at the time of
validation (if the signature is not associated with a
Qualified time stamp). The signature certificate SHALL include
the <code>esi4-qcStatement-6</code> Qcstatement as specified
in clause 4.2.1 of ETSI EN 319 412-5 incorporating the <code>id-etsi-qct-esign</code>
QcType as specified in clause 4.2.3 of ETSI EN 319 412-5.</i>
<br>
<br>
Do we need similar language added in 3.2.4.2 (4) (Validation of
individual identity) or should we refer to 3.2.4.1 (4) as
sufficient to perform the identity validation besides the
attribute collection? <br>
<br>
Similarly, section 3.2.3 (Authentication of organization
identity) could make use of Qualified Certificates for
Electronic Seals for acquiring attributes of organization
identity (3.2.3.1), which could satisfy the organization
identity validation (3.2.3.2) as well. <br>
<br>
The eSeal language would look like the following: <br>
<br>
<i>eIDAS Qualified: The CA MAY rely upon a digital signature
created using a Qualified Certificate for Electronic Seals
issued by a trust service provider holding the "<a
href="http://uri.etsi.org/TrstSvc/Svctype/CA/QC"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/Svctype/CA/QC</a>"
service type with extension <a class="moz-txt-link-rfc2396E"
href="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals"
moz-do-not-send="true">"http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals"</a>,
and the "<a
href="http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</a>"
status on an EU Trusted List. The "GRANTED" status must be
effective at the time of signing (if the signature is
associated with a Qualified time stamp) or at the time of
validation (if the signature is not associated with a
Qualified time stamp). The signature certificate SHALL include
the <code>esi4-qcStatement-6</code> Qcstatement as specified
in clause 4.2.1 of ETSI EN 319 412-5 incorporating the <code>id-etsi-qct-eseal</code>
QcType as specified in clause 4.2.3 of ETSI EN 319 412-5.</i>
<br>
<br>
<br>
Thoughts? <br>
Dimitris. <br>
<br>
<div class="moz-cite-prefix">On 25/4/2024 3:06 π.μ., Stephen
Davidson via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f1292edbf-4a167cec-66ce-4816-b6d5-28abaf71bc79-000000@email.amazonses.com">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
font-family:"Aptos",sans-serif;}div.WordSection1
{page:WordSection1;}</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello all:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As discussed today, here is draft
language for consideration to allow CAs to rely upon
signatures created with eIDAS Qualified certificates as
evidence supporting validation of individual identity.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><a
href="https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’d be grateful for feedback on this
language.<o:p></o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext"
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext"
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>