Well, the qual flag should only be set for CAs dedicated to certifying QES certificates. And those should by definition be signature certificates only, afaik.

But bold font for public keys is a no go imho, that would be disruptive for support. (I don't like bold for Root-CAs, either, btw).
If we'd use italics that would combine nicely with normal and bold fonts to indicate either a QES certificate public or private key.

Take care: Too many attributes (color, font) are bad style.

This overloading of "bold" for "my certificates", "qualified certificates" and "trusted root certificates" seems to exist since two decades. I stopped digging into ancient history at the commit that added the hard-coded default filters.

I'm wondering whether highlighting QES certificates is really useful.

Highlighting QES is mostly useful for Okular, I guess.
Maybe use a symbol with a pen? That should be self-explanatory.

In T6632: Okular: Highlight / preselect "nonRepudiation" certificates for qualified signatures I had the impression, that some hint is useful for signing operations. Probably not so much in general.

Using an icon for QES certificates isn't that easy because we use an icon for smartcard certificates and any list item can have at most one icon. Moreover, QES certificates are very like stored on a smartcard (isn't that even a requirement?), i.e. an icon clash is basically guaranteed.

@svuorela said, QES certs shouldn't be required to be on a smartcard.

Regarding signing operations: a bold font is useless anyway, as you wouldn't be able to distinguish them from other secret keys.
So the only context in which this appearance could make sense right now is on the verificiation side (others, who imported only the public key), which is currently interpreted as secret key.

I'd either just remove that appearance rule or choose some color (just slightly different, nothing too eye-catchy).

I currently have a slight preference to drop bold and go with normal font. Werner would be ok with that, too.

From an european commsion FAQ on electroic signatures:

Usually, providers of qualified certificates for electronic signatures deliver the corresponding private key on a qualified signature creation device (QSCD).

So QES certificates should ususally be on a smart card or similar, but it is no hard requirement.

Would no default highlighting be ok from the okular prespective?

The display in Okular is independent from Kleopatra, so dropping it in Kleopatra should be fine.
If a QES certificate is available, Okular should highlight and add a filter for them (which is currently not working, see T6632: Okular: Highlight / preselect "nonRepudiation" certificates for qualified signatures)