[cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date

Thu Aug 31 20:30:08 UTC 2017

Kirk, I want to reiterate - your view of applying legal theory to the BRs
is not something we support. If you or Entrust finds yourself applying such
interpretations to the Baseline Requirements, then please be aware that you
are not correct, as they are technical documents.

If you are not adhering to the exact letter, you are misissuing. Please
stop that, if you are doing so, to ensure the EV status for Entrust
certificates is maintained.

I am trying to ensure this is as direct as possible, as this is something
Google has repeatedly iterated in the Forum. The Baseline Requirements are
not a legal document or legal contract - they are a technical document and
standard. If X is prohibited, it is prohibited - CAs do not get to
interpret situations or scenarios in which they can do X because of what
they believe to be applicable legal or legislative theory. These documents
are not subject or open to CA's interpretation.

If you find something is not clear, please report it as such, so we can
ensure it's as technically unambiguous as possible.

Do not fulfill the spirit and purpose of the EVGL. Fulfill the letter, or
do not expect EV certificates, past, present, or future, to be recognized.

On Thu, Aug 31, 2017 at 4:21 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> There is a well-established legal doctrine of “Impossibility”, which
> excuses performance of a requirement under certain limited conditions.
>
>
>
> https://en.wikipedia.org/wiki/Impossibility
>
>
>
> In limited cases, it seems that doctrine could apply to the BRs.
>
>
>
> Here, we assumed every jurisdiction would provide a registration number or
> date when passing the EVGL rule, but we were incorrect.  It seems that
> substitute performance by a CA would fulfill the spirit and purpose of the
> EVGL rule (where absolute compliance is impossible), which doesn’t bother
> me.  In the meantime, we should also amend the EVGL to allow for this case
> (where there is no registration number or date).
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Thursday, August 31, 2017 12:26 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* Rich Smith <richard.smith at comodo.com>
> *Subject:* Re: [cabfpub] [EXTERNAL] EV 11.2.1 Private Organization
> registration number or date
>
>
>
> Kirk, I don't believe your answer is compliant with the text as written.
> I'm also somewhat nervous about the argument being put forward - "they
> can't do the impossible" - because it creates an incentive for the CA to
> declare something is 'impossible' and issue anyways. For example, if a CA
> determined it was "impossible" to comply with 3.2.2.4 (for example, they
> "couldn't" find a lawyer to write a domain authorization document, they
> "couldn't" modify a record on the domain, their corporate policies "don't"
> let them host a file, etc), that doesn't mean they get to issue the cert.
>
>
>
> As the text has it as a SHALL, I don't think there can be a reasonable
> argument made to suggest it's valid to issue. That's not to say we can't or
> shouldn't revisit, but that's also not to say it's permitted now.
>
>
>
> I think if we did want to go down that route of downgrading, then I think
> like 9.16.3, the jurisdictions that provide neither (such as what Rich has
> raised) should be publicly documented through the CA/Browser Forum. After
> all, it may simply be that the CA made a mistake in determining that it was
> "impossible" - and this helps detect and correct that - or it may be that
> it is truly impossible, and we can maintain such a list of exceptions in a
> public and shared way, to ensure consistency.
>
>
>
> On Thu, Aug 31, 2017 at 12:50 PM, Kirk Hall via Public <
> public at cabforum.org> wrote:
>
> My feeling is we should modify to SHOULD and also require the CA to make a
> notation in the vetting file if the jurisdiction does not provide that
> information.  (Different question, but I’m assuming you can determine the
> registration is still active, right?)
>
>
>
> I also think that a CA can’t do the impossible, so if that jurisdiction
> simply does not have a registration number or date, you should record that
> and go ahead and issue.  When we drafted this section, we assumed the info
> would always be available (as I recall, New York has no registration number
> but has a date), and we wanted to collect the info just to show the CA had
> done the work.  But if the data is not available, I don’t think the EV cert
> should be denied so long as you get proof the registration exists and
> document that to the file.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Rich
> Smith via Public
> *Sent:* Thursday, August 31, 2017 8:30 AM
> *To:* 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
> *Subject:* [EXTERNAL][cabfpub] EV 11.2.1 Private Organization
> registration number or date
>
>
>
> EVG 11.2.1 (1)(c) states:
>
> (C) Registration Number: Obtain the specific Registration Number assigned
> to the Applicant by the Incorporating or Registration Agency in the
> Applicant's Jurisdiction of Incorporation or Registration. Where the
> Incorporating or Registration Agency does not assign a Registration Number,
> the CA SHALL obtain the Applicant's date of Incorporation or Registration.
>
>
>
> What if the Registration Agency simply does not publish, and will not
> provide either registration number or date?  In the case I’m looking at
> they have legal name, registered address and phone number.  There is no
> registration number nor date published and they will not provide either one
> even when our agents call in and ask for the information.
>
>
>
> If the only answer at this time is, “Then we can’t issue an EV cert,”
> which is the direction I’m leaning, then I’d like to discuss/propose
> changing “CA SHALL” in the above to “CA SHOULD”.
>
>
>
> Feedback would be much appreciated, especially from those who might be
> willing to endorse such a ballot or those who might be strongly opposed to
> such a ballot.  If anyone has a sound argument that we actually can issue
> an EV under the current wording, I’d love to hear that as well.
>
>
>
> Thanks,
>
> Rich Smith
>
> Senior Compliance Manager
>
> Comodo
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/63fdacb3/attachment-0003.html>