[cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Aug 31 14:35:00 MST 2017 

Ryan, please show some courtesy and professionalism in your messages. These scoldings, whether toward me or others, really are not appropriate on the Forum list when there are other more civil ways to express yourself.

No, Entrust has not done this (applied the well-established legal doctrine of impossibility to the EVGL).  I was just trying to explain to fellow members, in answer to a new question, one option that applies common sense and common legal principles that apply in the rest of society so that a website owner that has been properly authenticated by the CA (including confirmation of its corporate existence) could get an EV certificate – where the barrier to getting the certificate today is the Forum’s mistake in drafting the EVGL standards.

Now that we know you oppose applying common legal standards to the Forum’s guidelines, that was all you needed to say.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, August 31, 2017 1:30 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Rich Smith <richard.smith at comodo.com>
Subject: Re: [cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date

Kirk, I want to reiterate - your view of applying legal theory to the BRs is not something we support. If you or Entrust finds yourself applying such interpretations to the Baseline Requirements, then please be aware that you are not correct, as they are technical documents.

If you are not adhering to the exact letter, you are misissuing. Please stop that, if you are doing so, to ensure the EV status for Entrust certificates is maintained.

I am trying to ensure this is as direct as possible, as this is something Google has repeatedly iterated in the Forum. The Baseline Requirements are not a legal document or legal contract - they are a technical document and standard. If X is prohibited, it is prohibited - CAs do not get to interpret situations or scenarios in which they can do X because of what they believe to be applicable legal or legislative theory. These documents are not subject or open to CA's interpretation.

If you find something is not clear, please report it as such, so we can ensure it's as technically unambiguous as possible.

Do not fulfill the spirit and purpose of the EVGL. Fulfill the letter, or do not expect EV certificates, past, present, or future, to be recognized.

On Thu, Aug 31, 2017 at 4:21 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
There is a well-established legal doctrine of “Impossibility”, which excuses performance of a requirement under certain limited conditions.

https://en.wikipedia.org/wiki/Impossibility

In limited cases, it seems that doctrine could apply to the BRs.

Here, we assumed every jurisdiction would provide a registration number or date when passing the EVGL rule, but we were incorrect.  It seems that substitute performance by a CA would fulfill the spirit and purpose of the EVGL rule (where absolute compliance is impossible), which doesn’t bother me.  In the meantime, we should also amend the EVGL to allow for this case (where there is no registration number or date).

From: Ryan Sleevi [mailto:sleevi at google.com<mailto:sleevi at google.com>]
Sent: Thursday, August 31, 2017 12:26 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Rich Smith <richard.smith at comodo.com<mailto:richard.smith at comodo.com>>
Subject: Re: [cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date

Kirk, I don't believe your answer is compliant with the text as written. I'm also somewhat nervous about the argument being put forward - "they can't do the impossible" - because it creates an incentive for the CA to declare something is 'impossible' and issue anyways. For example, if a CA determined it was "impossible" to comply with 3.2.2.4 (for example, they "couldn't" find a lawyer to write a domain authorization document, they "couldn't" modify a record on the domain, their corporate policies "don't" let them host a file, etc), that doesn't mean they get to issue the cert.

As the text has it as a SHALL, I don't think there can be a reasonable argument made to suggest it's valid to issue. That's not to say we can't or shouldn't revisit, but that's also not to say it's permitted now.

I think if we did want to go down that route of downgrading, then I think like 9.16.3, the jurisdictions that provide neither (such as what Rich has raised) should be publicly documented through the CA/Browser Forum. After all, it may simply be that the CA made a mistake in determining that it was "impossible" - and this helps detect and correct that - or it may be that it is truly impossible, and we can maintain such a list of exceptions in a public and shared way, to ensure consistency.

On Thu, Aug 31, 2017 at 12:50 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
My feeling is we should modify to SHOULD and also require the CA to make a notation in the vetting file if the jurisdiction does not provide that information.  (Different question, but I’m assuming you can determine the registration is still active, right?)

I also think that a CA can’t do the impossible, so if that jurisdiction simply does not have a registration number or date, you should record that and go ahead and issue.  When we drafted this section, we assumed the info would always be available (as I recall, New York has no registration number but has a date), and we wanted to collect the info just to show the CA had done the work.  But if the data is not available, I don’t think the EV cert should be denied so long as you get proof the registration exists and document that to the file.

From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Rich Smith via Public
Sent: Thursday, August 31, 2017 8:30 AM
To: 'CA/Browser Forum Public Discussion List' <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [EXTERNAL][cabfpub] EV 11.2.1 Private Organization registration number or date

EVG 11.2.1 (1)(c) states:
(C) Registration Number: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration.

What if the Registration Agency simply does not publish, and will not provide either registration number or date?  In the case I’m looking at they have legal name, registered address and phone number.  There is no registration number nor date published and they will not provide either one even when our agents call in and ask for the information.

If the only answer at this time is, “Then we can’t issue an EV cert,” which is the direction I’m leaning, then I’d like to discuss/propose changing “CA SHALL” in the above to “CA SHOULD”.

Feedback would be much appreciated, especially from those who might be willing to endorse such a ballot or those who might be strongly opposed to such a ballot.  If anyone has a sound argument that we actually can issue an EV under the current wording, I’d love to hear that as well.

Thanks,
Rich Smith
Senior Compliance Manager
Comodo

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170831/b3d6f844/attachment-0001.html>

More information about the Public mailing list