kravietz 🦇 on Nostr: npub12wfyg…f8kwl In case of certifying authorities the “scrutiny” is very well ...
npub12wfyg7nljr8h25apv0c2fvqd2l5dcmdymc9d3x7zdy2xtzztaysq7f8kwl (npub12wf…8kwl)
In case of certifying authorities the “scrutiny” is very well defined in the form of Certification Policy and Certification Practice Statement. Let’s take one QCA I know because I used them in the past - Polish Certum has been issuing qualified certificates since 2000’s, and their CPS can be found here:
https://files.certum.eu/documents/repsitory/1-cert-policy&cert-pract-state-qcs/CCK-DK02-ZK02_CP_and_CPS_6.2.pdf
If you scroll down to page 31, section 3 on Identification and Authentication contains the actual checks applied as part what you call the “scrutiny”. The whole section takes 10 pages of detailed legal text describing very thorough organisation identity checks performed as part of the initial registration (section 3.2), including official company databases registration documents, government identification documents of physical persons etc. That’s the level of scrutiny you get from a QCA.
Let’s now compare that to the CPS of existing WebTrust member, Google:
https://pki.goog/repo/cps/4.14/GTS-CPS.html#3-2-initial-identity-validation
Even if we take the highest level of validation offered by Google which is OU (organization validated), the checks and policies described in Google CPS is a tiny fraction of these applied as part of the above QCA. For example, company identity validation (section 3.2.2.1) performed by Google sounds rather miserably weak in comparison with QCA checks - Google will happily issue you a OV certificate based on “a site visit by the CA” or “an attestation letter”!
And it’s the same case with all other checks applied by both certifying authorities. In summary, the claim that #eIDAS offers lower level of scrutiny when issuing the certificates is exactly the opposite of the truth, because QCAs offer much higher legal and organisational level of checks which can be clearly demonstrated by the comparison of relevant CPS documents.
npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 (npub199w…n803) npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq (npub1llz…08cq)
In case of certifying authorities the “scrutiny” is very well defined in the form of Certification Policy and Certification Practice Statement. Let’s take one QCA I know because I used them in the past - Polish Certum has been issuing qualified certificates since 2000’s, and their CPS can be found here:
https://files.certum.eu/documents/repsitory/1-cert-policy&cert-pract-state-qcs/CCK-DK02-ZK02_CP_and_CPS_6.2.pdf
If you scroll down to page 31, section 3 on Identification and Authentication contains the actual checks applied as part what you call the “scrutiny”. The whole section takes 10 pages of detailed legal text describing very thorough organisation identity checks performed as part of the initial registration (section 3.2), including official company databases registration documents, government identification documents of physical persons etc. That’s the level of scrutiny you get from a QCA.
Let’s now compare that to the CPS of existing WebTrust member, Google:
https://pki.goog/repo/cps/4.14/GTS-CPS.html#3-2-initial-identity-validation
Even if we take the highest level of validation offered by Google which is OU (organization validated), the checks and policies described in Google CPS is a tiny fraction of these applied as part of the above QCA. For example, company identity validation (section 3.2.2.1) performed by Google sounds rather miserably weak in comparison with QCA checks - Google will happily issue you a OV certificate based on “a site visit by the CA” or “an attestation letter”!
And it’s the same case with all other checks applied by both certifying authorities. In summary, the claim that #eIDAS offers lower level of scrutiny when issuing the certificates is exactly the opposite of the truth, because QCAs offer much higher legal and organisational level of checks which can be clearly demonstrated by the comparison of relevant CPS documents.
npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 (npub199w…n803) npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq (npub1llz…08cq)