[cabfpub] Revision to the definitoin of a QIIS

Rich Smith richard.smith at comodo.com
Thu Dec 19 17:28:33 UTC 2013

Comodo will also endorse


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Wednesday, December 18, 2013 11:12 PM
To: Jeremy Rowley; CABFPub
Subject: Re: [cabfpub] Revision to the definitoin of a QIIS


Trend Micro will endorse


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Wednesday, December 18, 2013 8:08 PM
Subject: [cabfpub] Revision to the definitoin of a QIIS


The following proposal is from the EV working group.  The test is a proposed replacement for Section 11.10.5, which is the definition of a QIIS.  


The previous QIIS definition did not accurately capture current CA practices. In fact, a strict reading of the existing definition prohibits CAs from using D&B or Hoovers, which are generally regarded as accurate information sources.  The definition below consolidates the confusing and overlapping requirements while clarifying the QIIS verification requirements for CAs.  The new definition permits CAs to use databases of information if the CA has documented its process to verify the data’s accuracy and the CA knows the information is not self-reported.  


I’m looking for comments from those not involved in the working group along with two endorsers who are willing to move this forward. Thanks!





Proposed update to EV Section 11.10.5:


11.10.5 Qualified Independent Information Source

A Qualified Independent Information Source (QIIS) is a regularly updated and publicly available database that is generally  recognized as a dependable and accurate source for such information. A database qualifies as a QIIS if the CA determines that: 

(1) Industries other than the certificate industry rely on the database for accurate location, contact, or other information and

(2) The database provider updates its data on at least an annual basis.

The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider’s terms of use.  The CA SHALL NOT use any data in a QIIS that the CA knows is (i) self-reported, and (ii) not verified by the QIIS as accurate.  

Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. 



The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131219/50b10fc9/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131219/50b10fc9/attachment-0003.bin>

More information about the Public mailing list