[cabfpub] Ballot 143

Jeremy Rowley jeremy.rowley at digicert.com
Fri Jan 30 07:58:15 MST 2015


Since operational existence only requires the entity to exist for three years OR be listed in a QIIS, the current language would not resolve your concern.  Instead, it only acts to prevent new agencies (less than three years old) to get certificates. As Rich said, the verification of address and certificate authorization are checks that actually prevent someone from obtaining a certificate for a defunct organization.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Friday, January 30, 2015 6:54 AM
To: Jeremy Rowley; CABFPub
Subject: Re: [cabfpub] Ballot 143

On 29/01/15 19:07, Jeremy Rowley wrote:
> Because government entities aren’t operating as businesses, they are 
> often not listed with a QIIS, especially immediately after the entity 
> is created by either statute or order. The legal existence of these 
> entities is verifiable through a QGIS, but this source in many 
> countries (especially Arabic and African countries) does not always 
> list a date of creation of these entities.  Operational existence 
> exists to ensure organizations aren’t fly-by-night scams/phishing 
> entities.  With government entities, these same risks are not present 
> as they are created directly by government action.

How does your text avoid the risk of issuing an EV certificate to a government entity which was legally created (and therefore its legal existence can be checked) but is in fact no longer operational?

Just looking at the government documents which created it doesn't tell you that it's still doing things. (Of course, if its defunct, it wouldn't be applying for a cert, but the whole point is to defend against people impersonating such an agency.)

Gerv


More information about the Public mailing list