<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Thank you, Maria, for sharing your opinion.</font></p>
<p><font face="Calibri">I'd love to hear from others as well....</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 09/01/2024 17:54, Maria Merkel ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:CAKtZuQ5Pi+Qyjbb1YRqCXdcs3vPcfw1gU_PkmvCoYWj_CecPUQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is <a class="moz-txt-link-abbreviated" href="mailto:maria@maria.cc">maria@maria.cc</a> </td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div dir="ltr">
<div dir="ltr">Hello Adriano,
<div><br>
</div>
<div>I'm not sure whether I have posting permissions for this
list, but I will try anyway.</div>
<div><br>
</div>
<div>I do believe this is a wider issue than just one for
S/MIME. I
had recently noticed that a CA had issued a TLS server
certificate
to a company that no longer exists (as the company had
merged into
a new company, and the legal entity in the certificate has
been
dissolved as a result). I had reported this to the CA, who
have
decided not to revoke the certificate (and have, in fact,
issued at
least one further certificate to the company), despite me
having shared government-provided evidence of the company
having
been dissolved, because they were able to verify the name
via a
"reliable source" (presumably D&B or Google).</div>
<div><br>
</div>
<div>I have looked into this further at the time and it seems
like
this is currently perfectly compliant with the BR, but
surely
adding a rule prohibiting CAs from including information
they know
to be incorrect, even if it is "verifiable", would make
sense?</div>
<div><br>
</div>
<div>Regarding companies in liquidation, I am not sure these
should
be prohibited from obtaining certificates. Companies in
liquidation
may continue to operate for a significant amount of time
under
management of their liquidator, and it doesn't seem unlikely
that for some companies it may be required (or at least
desired) to
obtain certificates during that time.</div>
<div><br>
</div>
<div>Maria Merkel</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 9, 2024 at
5:44 PM
Adriano Santoni via Smcwg-public <<a
href="mailto:smcwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello all,</p>
Authentication of organization identity involves the
collection of
some attributes and their validation. To collect these
attributes,
a CA typically queries a reliable third-party source, e.g.
the
business register of the relevant country. Among the
attributes
that can be found in these sources there is normally also
the
<i>operational status</i> of the company, such as e.g.
ACTIVE or
CEASED.<br>
<p>To me, it seems logical that a certificate should not
be issued
to a ceased company, but this is not specified in the
SMBR. I
believe we should specify it. </p>
<p>In the current SMBR, the entity status is required to
be ACTIVE
only in the particular case of inserting an LEI
reference in the
certificate (which is not mandatory), but not in the
more general
case. Perhaps an oversight? </p>
<p>A company that has gone out of business (e.g. in
liquidation)
may still "exist" in a certain way for some time (you
can
still check any other data regarding it, in the company
registry),
but it is still a defunct company to which in my
opinion, a
certificate should not be issued. I can imagine that
someone will
have a different opinion and say that there is no
problem in
issuing a certificate to a company in liquidation. But
then, I see
no reason why we require the entity status to be ACTIVE
"If an
LEI data reference is used".<br>
</p>
<p>I therefore propose to include a clarification in the
SMBRs
(possibly in section 3.2.3.1) that the operational
status of the
company is one of the attributes to be collected, and
that it must
be ACTIVE (or the equivalent according to the
terminology of the
relevant country), regardless of whether a LEI reference
is used or
not in the certificate.<br>
</p>
<p>Adriano<br>
</p>
<p>PS: In my opinion, this also affects the BRs and the
CSBRs.<br>
</p>
<br>
</div>
_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
</blockquote>
</div>
</div>
</blockquote>
</body>
</html>