[Smcwg-public] [External Sender] Draft proposal to add eIDAS QES as vetting evidence for individual

[Dimitris Zacharopoulos (HARICA)]

On 29/4/2024 5:27 μ.μ., Adriano Santoni via Smcwg-public wrote:
>
> Furthermore, I think it would make sense to also accept a digital 
> signature made with an S/MIME IV certificate, because evidently this 
> would be a sufficiently reliable way of individual identification; in 
> practice, in order to obtain a new S/MIME IV certificate, e.g. for 
> renewal purposes, or perhaps for a different email address, I think 
> the CA should be able to accept a signature made with an S/MIME IV 
> certificate already in the applicant's possession, compliant with the 
> SMBRs, not expired and not revoked. To this end, I would say that a 
> signed S/MIME message could be fine... what do you (all) think?
>
> Adriano
>

I didn't see anyone commenting on this and I'm not sure if it was 
discussed at a Teleconference I missed. Adriano, I think this goes a bit 
too far in the sense that it is circular. The CA must attest *at time of 
issuance* that all the information included in the certificate and 
authorization has been validated by the CA, can be relied upon or is 
allowed to be reused according to the rules.

The way I read your post allows CA1 to rely on an IV Certificate issued 
by CA2 which has several risks because CA1 has no way of verifying that 
the certificate of CA2 was issued in a compliant -with the SMBRs- manner.

I think it is ok for the same CA to accept a signed (with an existing 
S/MIME IV Certificate) request for renewal, coming from an existing 
Subscriber, as long as the existing stored evidence can be re-used 
according to the rules.


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240516/3f86914e/attachment.html>