[cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date
Kirk Hall
Kirk.Hall at entrustdatacard.com
Thu Aug 31 20:21:05 UTC 2017
There is a well-established legal doctrine of “Impossibility”, which excuses performance of a requirement under certain limited conditions.
https://en.wikipedia.org/wiki/Impossibility
In limited cases, it seems that doctrine could apply to the BRs.
Here, we assumed every jurisdiction would provide a registration number or date when passing the EVGL rule, but we were incorrect. It seems that substitute performance by a CA would fulfill the spirit and purpose of the EVGL rule (where absolute compliance is impossible), which doesn’t bother me. In the meantime, we should also amend the EVGL to allow for this case (where there is no registration number or date).
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, August 31, 2017 12:26 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Rich Smith <richard.smith at comodo.com>
Subject: Re: [cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date
Kirk, I don't believe your answer is compliant with the text as written. I'm also somewhat nervous about the argument being put forward - "they can't do the impossible" - because it creates an incentive for the CA to declare something is 'impossible' and issue anyways. For example, if a CA determined it was "impossible" to comply with 3.2.2.4 (for example, they "couldn't" find a lawyer to write a domain authorization document, they "couldn't" modify a record on the domain, their corporate policies "don't" let them host a file, etc), that doesn't mean they get to issue the cert.
As the text has it as a SHALL, I don't think there can be a reasonable argument made to suggest it's valid to issue. That's not to say we can't or shouldn't revisit, but that's also not to say it's permitted now.
I think if we did want to go down that route of downgrading, then I think like 9.16.3, the jurisdictions that provide neither (such as what Rich has raised) should be publicly documented through the CA/Browser Forum. After all, it may simply be that the CA made a mistake in determining that it was "impossible" - and this helps detect and correct that - or it may be that it is truly impossible, and we can maintain such a list of exceptions in a public and shared way, to ensure consistency.
On Thu, Aug 31, 2017 at 12:50 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
My feeling is we should modify to SHOULD and also require the CA to make a notation in the vetting file if the jurisdiction does not provide that information. (Different question, but I’m assuming you can determine the registration is still active, right?)
I also think that a CA can’t do the impossible, so if that jurisdiction simply does not have a registration number or date, you should record that and go ahead and issue. When we drafted this section, we assumed the info would always be available (as I recall, New York has no registration number but has a date), and we wanted to collect the info just to show the CA had done the work. But if the data is not available, I don’t think the EV cert should be denied so long as you get proof the registration exists and document that to the file.
From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Rich Smith via Public
Sent: Thursday, August 31, 2017 8:30 AM
To: 'CA/Browser Forum Public Discussion List' <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [EXTERNAL][cabfpub] EV 11.2.1 Private Organization registration number or date
EVG 11.2.1 (1)(c) states:
(C) Registration Number: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration.
What if the Registration Agency simply does not publish, and will not provide either registration number or date? In the case I’m looking at they have legal name, registered address and phone number. There is no registration number nor date published and they will not provide either one even when our agents call in and ask for the information.
If the only answer at this time is, “Then we can’t issue an EV cert,” which is the direction I’m leaning, then I’d like to discuss/propose changing “CA SHALL” in the above to “CA SHOULD”.
Feedback would be much appreciated, especially from those who might be willing to endorse such a ballot or those who might be strongly opposed to such a ballot. If anyone has a sound argument that we actually can issue an EV under the current wording, I’d love to hear that as well.
Thanks,
Rich Smith
Senior Compliance Manager
Comodo
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/ecdfb3a2/attachment-0003.html>
More information about the Public
mailing list