<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello all,</p>
Authentication of organization identity involves the collection of
some attributes and their validation. To collect these attributes, a
CA typically queries a reliable third-party source, e.g. the
business register of the relevant country. Among the attributes that
can be found in these sources there is normally also the <i>operational
status </i>of the company, such as e.g. ACTIVE or CEASED. <br>
<p>To me, it seems logical that a certificate should not be issued
to a ceased company, but this is not specified in the SMBR. I
believe we should specify it. </p>
<p>In the current SMBR, the entity status is required to be ACTIVE
only in the particular case of inserting an LEI reference in the
certificate (which is not mandatory), but not in the more general
case. Perhaps an oversight? </p>
<p>A company that has gone out of business (e.g. in liquidation) may
still "exist" in a certain way for some time (you can still check
any other data regarding it, in the company registry), but it is
still a defunct company to which in my opinion, a certificate
should not be issued. I can imagine that someone will have a
different opinion and say that there is no problem in issuing a
certificate to a company in liquidation. But then, I see no reason
why we require the entity status to be ACTIVE "If an LEI data
reference is used".<br>
</p>
<p>I therefore propose to include a clarification in the SMBRs
(possibly in section 3.2.3.1) that the operational status of the
company is one of the attributes to be collected, and that it must
be ACTIVE (or the equivalent according to the terminology of the
relevant country), regardless of whether a LEI reference is used
or not in the certificate.<br>
</p>
<p>Adriano<br>
</p>
<p>PS: In my opinion, this also affects the BRs and the CSBRs.<br>
</p>
<br>
</body>
</html>