[cabf_validation] Discussion on improvements for automation in the context of EV certificates

Thu Dec 14 07:55:03 UTC 2023

Hi Christophe

Thanks for sharing this proposal.

My main concern has been that the current language of the EVG strongly indicates that a manual approval is mandated for all EV certificate requests. This has been our interpretation, and this makes it difficult to automate issuance of any EV certificate.

The proposed language clarifies that this is not required for each EV certificate request, so I am happy with the proposal.

In addition, I have a small comment regarding this specific wording:

Due Diligence and Cross Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed).

The underlined text is vague and could be strengthen, e.g. only use the wording in the parentheses:

Due Diligence and Cross Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST not be involved in the processes and procedures performed in the regular validation tasks.

Regards
Mads

From: Validation <validation-bounces at cabforum.org> On Behalf Of Christophe Bonjean via Validation
Sent: Wednesday, December 13, 2023 3:32 PM
To: validation at cabforum.org
Subject: Re: [cabf_validation] Discussion on improvements for automation in the context of EV certificates

Hi all - sharing the draft text for "language improvements in EVGs regarding automation":

https://github.com/cabforum/servercert/compare/main...chrisbn:servercert:improve-evg-automation-issue-467

Any feedback is greatly appreciated.

Christophe

From: Christophe Bonjean
Sent: Thursday, November 2, 2023 2:18 PM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: Discussion on improvements for automation in the context of EV certificates

Hi all,

As a forum, without a doubt one of our goals is to consider areas of automation. In this context, we believe that there are a few areas where the language of the EV Guidelines is ambiguous, and this ambiguity may unnecessarily hinder the goal of automation.

A few areas that we want to highlight:

Due diligence requirement and how it relates to automated processes like domain validation
All the verification processes and procedures are subject to review by someone who is not responsible for the collection of the information. Does this requirement make sense for elements like domain validation which can be completely automated? What is the added value of making the automated domain validation subject to the review by a person?

Delegation of the final cross-correlation to Enterprise RA
What exactly is in scope of this delegation? How does it differ from the role of a Certificate Approver?

We would like to see if there's an opportunity and appetite to clarify some of the language surrounding these topics.

Could this possibly be added to the agenda?

Christophe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231214/eb07b721/attachment-0001.html>