Re: [Smcwg-public] [External] Draft proposal to add eIDAS QES as vetting evidence for individual

[Stephen Davidson via Smcwg-public]

Hi Judith -

 

The text in question allows a CA to look at a third-party cert associated
with a signature and, if it's issued under an approved framework, the CA can
accept the individual identity attributes in the cert as verified.

 

When the BR was published it laid out acceptance criteria in 3.2.4.1 (4) (b)
- but purposefully did not name any approved frameworks in 3.2.4.1 (4) (a)
following a decision by the working group that each such framework should be
the subject of a separate ballot. The current draft is an effort to "test"
that process.

 

See more at
https://github.com/cabforum/smime/blob/main/SBR.md#3241-attribute-collection
-of-individual-identity

 

Best, Stephen

 

 

 

 

From: Judith Spencer  
Sent: Thursday, April 25, 2024 11:21 AM
To: Stephen Davidson ; SMIME Certificate
Working Group 
Subject: RE: [External] [Smcwg-public] Draft proposal to add eIDAS QES as
vetting evidence for individual

 

Stephen

My primary concern with the proposed change is that once it finds it's way
into the BR, anyone not in the EU will be eliminated from trusting existing
digital signatures as evidence.  For example, here in the U.S., the U.S.
Government has an extremely robust digital credential based on a full
background check that is independently assessed and accompanied by reams of
documentation, regulation and policy.  Over 7 million individuals hold these
credentials.  But by this policy, signatures from this community would not
be sufficient as evidence.  The CertiPath community, comprised of major
Aerospace Corporations, would likewise be eliminated.  While we don't employ
the same level of background checks in our identity proofing, it is
certainly based on sound practice and audited annually under WebTrust for
CA, which may not be a "national scheme" but is certainly a robust review
process widely recognized in the U.S. and Canada.  

Unless you are prepared to identify schemes that cover all other regions of
the world, I believe it is too early to make this change.  As a compromise,
I suggest you could identify eIDAS as the qualifying scheme for Europe and
remain silent on the rest of the world.  I recommend you revise the opening
as follows:

"If a digital signature is to be used as evidence in the European Union, the
CA or RA SHALL only rely upon the following certificate type:"

Once sufficient assessment has taken place to include all participating
regions, the language could be further modified as you suggest.  

Judy

 

Judith Spencer | PMA Chair | CertiPath, Inc.

1900 Reston Metro Plaza, Suite 303, Reston, VA 20190

PH +1.301.974.4227

Email   judith.spen...@certipath.com 

 

From: Smcwg-public mailto:smcwg-public-boun...@cabforum.org> > On Behalf Of Stephen Davidson
via Smcwg-public
Sent: Wednesday, April 24, 2024 8:06 PM
To: smcwg-public@cabforum.org  
Subject: [External] [Smcwg-public] Draft proposal to add eIDAS QES as
vetting evidence for individual

 

 

Hello all:

 

As discussed today, here is draft language for consideration to allow CAs to
rely upon signatures created with eIDAS Qualified certificates as evidence
supporting validation of individual identity.

https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md

 

I'd be grateful for feedback on this language.

Best, Stephen

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] [External] Draft proposal to add eIDAS QES as vetting evidence for individual

[Clint Wilson via Smcwg-public]

Hi Judith,

As I understand it, the proposed change is purely additive. That is, currently 
there are no approved frameworks in the SBRs meaning that there is no way for a 
compliant CA to rely upon a digital signature as evidence for the collection of 
Individual identity attributes (or any other purpose, I believe, but haven’t 
checked outside of Section 3.2.4.1 as closely). From my reading, this change 
doesn’t eliminate the ability for those not in the EU to trust existing digital 
signatures as evidence as no such ability exists today. Rather, this change 
would only add the ability to rely on digital signatures created by a subset of 
eIDAS Electronic Qualified Signature Certificates. While that is still limited 
in scope, as you indicate, it also doesn’t remove anything already allowed by 
the SBRs.

Can you help me understand better where you see the current SBRs as allowing 
CAs to rely upon digital signatures in the context of 3.2.4.1 today?

Thank you!
-Clint

> On Apr 25, 2024, at 7:20 AM, Judith Spencer via Smcwg-public 
>  wrote:
> 
> Stephen
> My primary concern with the proposed change is that once it finds it’s way 
> into the BR, anyone not in the EU will be eliminated from trusting existing 
> digital signatures as evidence.  For example, here in the U.S., the U.S. 
> Government has an extremely robust digital credential based on a full 
> background check that is independently assessed and accompanied by reams of 
> documentation, regulation and policy.  Over 7 million individuals hold these 
> credentials.  But by this policy, signatures from this community would not be 
> sufficient as evidence.  The CertiPath community, comprised of major 
> Aerospace Corporations, would likewise be eliminated.  While we don’t employ 
> the same level of background checks in our identity proofing, it is certainly 
> based on sound practice and audited annually under WebTrust for CA, which may 
> not be a “national scheme” but is certainly a robust review process widely 
> recognized in the U.S. and Canada.  
> Unless you are prepared to identify schemes that cover all other regions of 
> the world, I believe it is too early to make this change.  As a compromise, I 
> suggest you could identify eIDAS as the qualifying scheme for Europe and 
> remain silent on the rest of the world.  I recommend you revise the opening 
> as follows:
> “If a digital signature is to be used as evidence in the European Union, the 
> CA or RA SHALL only rely upon the following certificate type:”
> Once sufficient assessment has taken place to include all participating 
> regions, the language could be further modified as you suggest.  
> Judy
>  
> Judith Spencer | PMA Chair | CertiPath, Inc.
> 1900 Reston Metro Plaza, Suite 303, Reston, VA 20190
> PH +1.301.974.4227
> Email judith.spen...@certipath.com 
>  
> From: Smcwg-public  On Behalf Of Stephen 
> Davidson via Smcwg-public
> Sent: Wednesday, April 24, 2024 8:06 PM
> To: smcwg-public@cabforum.org
> Subject: [External] [Smcwg-public] Draft proposal to add eIDAS QES as vetting 
> evidence for individual
>  
>  
> Hello all:
>  
> As discussed today, here is draft language for consideration to allow CAs to 
> rely upon signatures created with eIDAS Qualified certificates as evidence 
> supporting validation of individual identity.
> 
> https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md
>  
> I’d be grateful for feedback on this language.
> Best, Stephen
>  
>  
> ___
> Smcwg-public mailing list
> Smcwg-public@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public

Re: [Smcwg-public] [External] Draft proposal to add eIDAS QES as vetting evidence for individual

[Judith Spencer via Smcwg-public]

Stephen

My primary concern with the proposed change is that once it finds it's way
into the BR, anyone not in the EU will be eliminated from trusting existing
digital signatures as evidence.  For example, here in the U.S., the U.S.
Government has an extremely robust digital credential based on a full
background check that is independently assessed and accompanied by reams of
documentation, regulation and policy.  Over 7 million individuals hold these
credentials.  But by this policy, signatures from this community would not
be sufficient as evidence.  The CertiPath community, comprised of major
Aerospace Corporations, would likewise be eliminated.  While we don't employ
the same level of background checks in our identity proofing, it is
certainly based on sound practice and audited annually under WebTrust for
CA, which may not be a "national scheme" but is certainly a robust review
process widely recognized in the U.S. and Canada.  

Unless you are prepared to identify schemes that cover all other regions of
the world, I believe it is too early to make this change.  As a compromise,
I suggest you could identify eIDAS as the qualifying scheme for Europe and
remain silent on the rest of the world.  I recommend you revise the opening
as follows:

"If a digital signature is to be used as evidence in the European Union, the
CA or RA SHALL only rely upon the following certificate type:"

Once sufficient assessment has taken place to include all participating
regions, the language could be further modified as you suggest.  

Judy

 

Judith Spencer | PMA Chair | CertiPath, Inc.

1900 Reston Metro Plaza, Suite 303, Reston, VA 20190

PH +1.301.974.4227

Email   judith.spen...@certipath.com 

 

From: Smcwg-public  On Behalf Of Stephen
Davidson via Smcwg-public
Sent: Wednesday, April 24, 2024 8:06 PM
To: smcwg-public@cabforum.org
Subject: [External] [Smcwg-public] Draft proposal to add eIDAS QES as
vetting evidence for individual

 

 

Hello all:

 

As discussed today, here is draft language for consideration to allow CAs to
rely upon signatures created with eIDAS Qualified certificates as evidence
supporting validation of individual identity.

https://github.com/srdavidson/QES-SMIME-BR/blob/master/QES-proposal.md

 

I'd be grateful for feedback on this language.

Best, Stephen

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Smcwg-public mailing list
Smcwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public