[cabfpub] EV 11.2.1 Private Organization registration number or date
Kirk Hall
Kirk.Hall at entrustdatacard.com
Thu Aug 31 21:42:15 UTC 2017
Geoff – clearly this applicant will now be denied, but I have to disagree with one of your underlying assumptions below - “there is no way to uniquely identify the entity”. Rich Smith of Comodo indicated that the applicant’s corporate registration had been confirmed with the government authority – perhaps based on address or some other identifying factor. Again, when we drafted the EVGL (I think I drafted this particular section), we assumed there would be a registration number or date of registration in all records (we were wrong), but even without that, a CA would have the ability to confirm proper corporate registration tied to the applicant’s unique identity so that identity would be confirmed.
I think we should amend EVGL 11.2.1 (1)(c) to allow some other method for recording the confirmation of proper corporate registration. Since Rich knows the facts if this case, I’ll leave it to him to come up with any amending language.
From: geoffk at apple.com [mailto:geoffk at apple.com]
Sent: Thursday, August 31, 2017 1:24 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Ryan Sleevi <sleevi at google.com>
Subject: Re: [cabfpub] [EXTERNAL] EV 11.2.1 Private Organization registration number or date
On 31 Aug 2017, at 1:21 pm, Kirk Hall via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:
There is a well-established legal doctrine of “Impossibility”, which excuses performance of a requirement under certain limited conditions.
<https://en.wikipedia.org/wiki/Impossibility> https://en.wikipedia.org/wiki/Impossibility
In limited cases, it seems that doctrine could apply to the BRs.
Here, we assumed every jurisdiction would provide a registration number or date when passing the EVGL rule, but we were incorrect. It seems that substitute performance by a CA would fulfill the spirit and purpose of the EVGL rule (where absolute compliance is impossible), which doesn’t bother me. In the meantime, we should also amend the EVGL to allow for this case (where there is no registration number or date).
In general, for EV certificate issuance, I believe that if a certificate can’t be issued under the EV criteria, it must not be issued. It’s expected that some organizations or entities will not be able to get an EV certificate for one reason or another, and “there is no way to uniquely identify the entity” is definitely one of those reasons.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/96a7b564/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6483 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/96a7b564/attachment-0003.p7s>
More information about the Public
mailing list