[cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date

Thu Aug 31 19:25:37 UTC 2017

Kirk, I don't believe your answer is compliant with the text as written.
I'm also somewhat nervous about the argument being put forward - "they
can't do the impossible" - because it creates an incentive for the CA to
declare something is 'impossible' and issue anyways. For example, if a CA
determined it was "impossible" to comply with 3.2.2.4 (for example, they
"couldn't" find a lawyer to write a domain authorization document, they
"couldn't" modify a record on the domain, their corporate policies "don't"
let them host a file, etc), that doesn't mean they get to issue the cert.

As the text has it as a SHALL, I don't think there can be a reasonable
argument made to suggest it's valid to issue. That's not to say we can't or
shouldn't revisit, but that's also not to say it's permitted now.

I think if we did want to go down that route of downgrading, then I think
like 9.16.3, the jurisdictions that provide neither (such as what Rich has
raised) should be publicly documented through the CA/Browser Forum. After
all, it may simply be that the CA made a mistake in determining that it was
"impossible" - and this helps detect and correct that - or it may be that
it is truly impossible, and we can maintain such a list of exceptions in a
public and shared way, to ensure consistency.

On Thu, Aug 31, 2017 at 12:50 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> My feeling is we should modify to SHOULD and also require the CA to make a
> notation in the vetting file if the jurisdiction does not provide that
> information.  (Different question, but I’m assuming you can determine the
> registration is still active, right?)
>
>
>
> I also think that a CA can’t do the impossible, so if that jurisdiction
> simply does not have a registration number or date, you should record that
> and go ahead and issue.  When we drafted this section, we assumed the info
> would always be available (as I recall, New York has no registration number
> but has a date), and we wanted to collect the info just to show the CA had
> done the work.  But if the data is not available, I don’t think the EV cert
> should be denied so long as you get proof the registration exists and
> document that to the file.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] * On Behalf Of *Rich
> Smith via Public
> *Sent:* Thursday, August 31, 2017 8:30 AM
> *To:* 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
> *Subject:* [EXTERNAL][cabfpub] EV 11.2.1 Private Organization
> registration number or date
>
>
>
> EVG 11.2.1 (1)(c) states:
>
> (C) Registration Number: Obtain the specific Registration Number assigned
> to the Applicant by the Incorporating or Registration Agency in the
> Applicant's Jurisdiction of Incorporation or Registration. Where the
> Incorporating or Registration Agency does not assign a Registration Number,
> the CA SHALL obtain the Applicant's date of Incorporation or Registration.
>
>
>
> What if the Registration Agency simply does not publish, and will not
> provide either registration number or date?  In the case I’m looking at
> they have legal name, registered address and phone number.  There is no
> registration number nor date published and they will not provide either one
> even when our agents call in and ask for the information.
>
>
>
> If the only answer at this time is, “Then we can’t issue an EV cert,”
> which is the direction I’m leaning, then I’d like to discuss/propose
> changing “CA SHALL” in the above to “CA SHOULD”.
>
>
>
> Feedback would be much appreciated, especially from those who might be
> willing to endorse such a ballot or those who might be strongly opposed to
> such a ballot.  If anyone has a sound argument that we actually can issue
> an EV under the current wording, I’d love to hear that as well.
>
>
>
> Thanks,
>
> Rich Smith
>
> Senior Compliance Manager
>
> Comodo
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/4881d449/attachment-0003.html>