<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p><font face="Calibri">Thank you, Maria, for sharing your opinion.</font></p>
    <p><font face="Calibri">I'd love to hear from others as well....</font></p>
    <p><font face="Calibri">Adriano</font></p>
    <p><font face="Calibri"><br>
      </font></p>
    <div class="moz-cite-prefix">Il 09/01/2024 17:54, Maria Merkel ha
      scritto:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAKtZuQ5Pi+Qyjbb1YRqCXdcs3vPcfw1gU_PkmvCoYWj_CecPUQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <title></title>
      <div align="center">
        <table width="30%" cellspacing="2" cellpadding="2" border="1">
          <tbody>
            <tr>
              <td valign="top" bgcolor="#ffff00"> <span
                  style="color: red;">NOTICE:</span> Pay attention -
                external email - Sender is <a class="moz-txt-link-abbreviated" href="mailto:maria@maria.cc">maria@maria.cc</a> </td>
            </tr>
          </tbody>
        </table>
        <br>
      </div>
      <br>
      <div dir="ltr">
        <div dir="ltr">Hello Adriano,
          <div><br>
          </div>
          <div>I'm not sure whether I have posting permissions for this
            list, but I will try anyway.</div>
          <div><br>
          </div>
          <div>I do believe this is a wider issue than just one for
            S/MIME. I
            had recently noticed that a CA had issued a TLS server
            certificate
            to a company that no longer exists (as the company had
            merged into
            a new company, and the legal entity in the certificate has
            been
            dissolved as a result). I had reported this to the CA, who
            have
            decided not to revoke the certificate (and have, in fact,
            issued at
            least one further certificate to the company), despite me
            having shared government-provided evidence of the company
            having
            been dissolved, because they were able to verify the name
            via a
            "reliable source" (presumably D&B or Google).</div>
          <div><br>
          </div>
          <div>I have looked into this further at the time and it seems
            like
            this is currently perfectly compliant with the BR, but
            surely
            adding a rule prohibiting CAs from including information
            they know
            to be incorrect, even if it is "verifiable", would make
            sense?</div>
          <div><br>
          </div>
          <div>Regarding companies in liquidation, I am not sure these
            should
            be prohibited from obtaining certificates. Companies in
            liquidation
            may continue to operate for a significant amount of time
            under
            management of their liquidator, and it doesn't seem unlikely
            that for some companies it may be required (or at least
            desired) to
            obtain certificates during that time.</div>
          <div><br>
          </div>
          <div>Maria Merkel</div>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">On Tue, Jan 9, 2024 at
            5:44 PM
            Adriano Santoni via Smcwg-public <<a
              href="mailto:smcwg-public@cabforum.org"
              moz-do-not-send="true" class="moz-txt-link-freetext">smcwg-public@cabforum.org</a>>
            wrote:<br>
          </div>
          <blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div>
              <p>Hello all,</p>
              Authentication of organization identity involves the
              collection of
              some attributes and their validation. To collect these
              attributes,
              a CA typically queries a reliable third-party source, e.g.
              the
              business register of the relevant country. Among the
              attributes
              that can be found in these sources there is normally also
              the
              <i>operational status</i> of the company, such as e.g.
              ACTIVE or
              CEASED.<br>
              <p>To me, it seems logical that a certificate should not
                be issued
                to a ceased company, but this is not specified in the
                SMBR. I
                believe we should specify it. </p>
              <p>In the current SMBR, the entity status is required to
                be ACTIVE
                only in the particular case of inserting an LEI
                reference in the
                certificate (which is not mandatory), but not in the
                more general
                case. Perhaps an oversight? </p>
              <p>A company that has gone out of business (e.g. in
                liquidation)
                may still "exist" in a certain way for some time (you
                can
                still check any other data regarding it, in the company
                registry),
                but it is still a defunct company to which in my
                opinion, a
                certificate should not be issued. I can imagine that
                someone will
                have a different opinion and say that there is no
                problem in
                issuing a certificate to a company in liquidation. But
                then, I see
                no reason why we require the entity status to be ACTIVE
                "If an
                LEI data reference is used".<br>
              </p>
              <p>I therefore propose to include a clarification in the
                SMBRs
                (possibly in section 3.2.3.1) that the operational
                status of the
                company is one of the attributes to be collected, and
                that it must
                be ACTIVE (or the equivalent according to the
                terminology of the
                relevant country), regardless of whether a LEI reference
                is used or
                not in the certificate.<br>
              </p>
              <p>Adriano<br>
              </p>
              <p>PS: In my opinion, this also affects the BRs and the
                CSBRs.<br>
              </p>
              <br>
            </div>
            _______________________________________________<br>
            Smcwg-public mailing list<br>
            <a href="mailto:Smcwg-public@cabforum.org" target="_blank"
              moz-do-not-send="true" class="moz-txt-link-freetext">Smcwg-public@cabforum.org</a><br>
            <a
href="https://lists.cabforum.org/mailman/listinfo/smcwg-public"
              rel="noreferrer" target="_blank" moz-do-not-send="true"
              class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
          </blockquote>
        </div>
      </div>
    </blockquote>
  </body>
</html>