[cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date

Ryan Sleevi sleevi at google.com
Thu Aug 31 16:23:39 MST 2017 

On Thu, Aug 31, 2017 at 5:35 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Ryan, please show some courtesy and professionalism in your messages.
> These scoldings, whether toward me or others, really are not appropriate on
> the Forum list when there are other more civil ways to express yourself.
>

Kirk, please don't confuse a very direct tone with one of incivility. As
Entrust is entrusted with the keys to the Internet, as it were, if Entrust
takes creative liberties based on an incorrect and textually unsupported
interpretation of technical standards it puts users privacy, safety,
security, and ultimately, lives at risk, I cannot stress enough that this
is a critically serious matter, which is why it is so important to stress
and reiterate these points, to ensure that there is zero misunderstanding.
While you may see this as a scolding, it is not - it's an attempt to
address a very serious, very dangerous misinterpretation in every possible
dimension to ensure there is no misinterpretation and no past, present, or
future action based on that interpretation.

As I highlighted, your interpretation would directly put the security of
the Internet at risk, and were that to represent Entrusts' position, or
past actions, the only option would be to take steps to ensure the safety
and security of the Internet, which may involve taking steps to reduce the
risk introduced by such an interpretation. These are the table stakes we
play for the in the Forum, and we should not forget it.


> No, Entrust has not done this (applied the well-established legal doctrine
> of impossibility to the EVGL).  I was just trying to explain to fellow
> members, in answer to a new question, one option that applies common sense
> and common legal principles that apply in the rest of society so that a
> website owner that has been properly authenticated by the CA (including
> confirmation of its corporate existence) could get an EV certificate –
> where the barrier to getting the certificate today is the Forum’s mistake
> in drafting the EVGL standards.
>

I disagree with you that it is a mistake, and that's not something you
expressed previously, so allow me to explain why:

The current text, as written, ensures as much as possible there is no
ambiguity as to the nature of the organization or its incorporation, by
resolving either to the legal jurisdiction of its incorporation and the
unambiguous reference to its incorporation or, should such an unambiguous
reference not exist, a sufficiently acceptable disambiguator (regarding the
date) to be effectively equivalent. If we are to believe EV certificates
are meaningful in someway, then this unambiguity is necessary, not
accidental or mistaken.

It is expected that CAs should recognize this as the sole value of EV
certificates, and strive to ensure to maintain the letter of the
requirements - and to raise any concerns and seek feedback, rather than
apply what they might mistakenly believe is common sense (due to an
incomplete understanding of the benefits or the rationale) or legal
principles (which are not applicable to technical standards).


> Now that we know you oppose applying common legal standards to the Forum’s
> guidelines, that was all you needed to say.
>

As Google has made this quite clear, repeatedly in the Forum (as the past
minutes show) and directly to you, the suggestion that "now" it is
understood is rather unfortunate, as it suggests such feedback has been
actively ignored or disregarded. This further highlights the need to be
clear, unambiguous, and direct, to ensure there is zero misinterpretation
about the critical necessity of observing the letter is as important as
observing the spirit, and to consistently err on the side of expecting
something is prohibited, unless expressly and unambiguously permitted.

As bastions of Internet trust, it is expected that the organizations
entrusted to issue certificates take that role seriously, and take an
abundance of caution before doing something. Rich's question is an
excellent question to bring to the Forum, and I'm greatly appreciative of
it, as it has highlighted some members' viewpoints that can result in
actions incompatible with trustworthy operation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170831/f01cac27/attachment.html>

More information about the Public mailing list