<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">I agree with Dimitris' suggestions, as far
as the eIDAS framework is concerned. </font></p>
<p><font face="Calibri">In the meantime, let's note that t</font>oday
eIDAS2 was published in the EU Official Journal as
Regulation (EU) 2024/1183 amending the old eIDAS (Regulation (EU)
No 910/2014), and some of the original articles have been deleted,
so if we intend to insert references to some of the Regulation's
articles in the SMBR we should take care to mention the right ones
:)</p>
<p>Adriano</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 29/04/2024 18:55, Dimitris
Zacharopoulos (HARICA) via Smcwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f2ac82989-d0dc56df-6b57-42ca-ade1-b29c429c2344-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is
<a class="moz-txt-link-abbreviated" href="mailto:0100018f2ac82989-d0dc56df-6b57-42ca-ade1-b29c429c2344-000000@amazonses.com">0100018f2ac82989-d0dc56df-6b57-42ca-ade1-b29c429c2344-000000@amazonses.com</a>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
Hi Stephen,
<br>
<br>
After some internal review and based on the fact that eIDAS
supports identity proofing for natural persons AND legal entities,
I have some suggestions.
<br>
<br>
In 3.2.4.1 (4) which is related to "Attribute collection of
individual identity":
<br>
<br>
From:
<br>
<br>
<i>eIDAS Qualified: The CA MAY rely upon a signature created using
a Qualified Electronic Signature Certificate issued by a trust
service holding the "<a
href="http://uri.etsi.org/TrstSvc/Svctype/CA/QC"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/Svctype/CA/QC</a>"
service type and the "<a
href="http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</a>"
status on an EU Trusted List. The "GRANTED" status must be
effective at the time of signing (if the signature is associated
with a Qualified time stamp) or at the time of validation (if
the
signature is not associated with a Qualified time stamp). The
signature certificate SHALL include the
<code>esi4-qcStatement-6</code> Qcstatement as specified in
clause
4.2.1 of ETSI EN 319 412-5 incorporating the
<code>id-etsi-qct-esign</code> QcType as specified in clause
4.2.3
of ETSI EN 319 412-5.</i>
<br>
<br>
To:
<br>
<br>
<i>eIDAS Qualified: The CA MAY rely upon a <b>digital</b>
signature
created using a <b>Qualified Certificate for Electronic
Signatures</b> issued by a trust service <b>provider</b>
holding
the "<a href="http://uri.etsi.org/TrstSvc/Svctype/CA/QC"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/Svctype/CA/QC</a>"
service type</i> <i><b>with extension <a
class="moz-txt-link-rfc2396E"
href="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures"
moz-do-not-send="true">
"http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures"</a>,</b></i>
<i>and the "<a
href="http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</a>"
status on an EU Trusted List. The "GRANTED" status must be
effective at the time of signing (if the signature is associated
with a Qualified time stamp) or at the time of validation (if
the
signature is not associated with a Qualified time stamp). The
signature certificate SHALL include the
<code>esi4-qcStatement-6</code> Qcstatement as specified in
clause
4.2.1 of ETSI EN 319 412-5 incorporating the
<code>id-etsi-qct-esign</code> QcType as specified in clause
4.2.3
of ETSI EN 319 412-5.</i>
<br>
<br>
Do we need similar language added in 3.2.4.2 (4) (Validation of
individual identity) or should we refer to 3.2.4.1 (4) as
sufficient to perform the identity validation besides the
attribute
collection?
<br>
<br>
Similarly, section 3.2.3 (Authentication of organization identity)
could make use of Qualified Certificates for Electronic Seals for
acquiring attributes of organization identity (3.2.3.1), which
could satisfy the organization identity validation (3.2.3.2) as
well.
<br>
<br>
The eSeal language would look like the following:
<br>
<br>
<i>eIDAS Qualified: The CA MAY rely upon a digital signature
created using a Qualified Certificate for Electronic Seals
issued
by a trust service provider holding the "<a
href="http://uri.etsi.org/TrstSvc/Svctype/CA/QC"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/Svctype/CA/QC</a>"
service type with extension <a class="moz-txt-link-rfc2396E"
href="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals"
moz-do-not-send="true">"http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals"</a>,
and the "<a
href="http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted"
rel="nofollow" class="moz-txt-link-freetext"
moz-do-not-send="true">http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</a>"
status on an EU Trusted List. The "GRANTED" status must be
effective at the time of signing (if the signature is associated
with a Qualified time stamp) or at the time of validation (if
the
signature is not associated with a Qualified time stamp). The
signature certificate SHALL include the
<code>esi4-qcStatement-6</code> Qcstatement as specified in
clause
4.2.1 of ETSI EN 319 412-5 incorporating the
<code>id-etsi-qct-eseal</code> QcType as specified in clause
4.2.3
of ETSI EN 319 412-5.</i>
<br>
<br>
<br>
Thoughts?
<br>
Dimitris.
<br>
<br>
<div class="moz-cite-prefix">On 25/4/2024 3:06 π.μ., Stephen
Davidson via Smcwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f1292edbf-4a167cec-66ce-4816-b6d5-28abaf71bc79-000000@email.amazonses.com">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
font-family:"Aptos",sans-serif;}div.WordSection1
{page:WordSection1;}</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello all:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As discussed today, here is draft
language for
consideration to allow CAs to rely upon signatures created
with
eIDAS Qualified certificates as evidence supporting
validation of
individual identity.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><a
href="https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’d be grateful for feedback on this
language.<o:p></o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Smcwg-public@cabforum.org" moz-do-not-send="true">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext"
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Smcwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Smcwg-public@cabforum.org">Smcwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/smcwg-public">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a>
</pre>
</blockquote>
</body>
</html>