[cabfpub] EV 11.2.1 Private Organization registration number or date

Ryan Sleevi sleevi at google.com
Fri Sep 1 13:16:37 MST 2017 

On Fri, Sep 1, 2017 at 4:01 PM, Rich Smith <richard.smith at comodo.com> wrote:

>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, September 1, 2017 1:32 PM
>
> Thanks Rich for sharing the added details about when this case comes up.
>
>
>
> Is it frequent enough to require the 'fail open' case? Do we believe that
> security is improved by that - that is, it seems equally likely that if it
> was 'fail closed" (e.g. deny), then such banks desiring EV certificates
> can/would lobby RBI to ensure such information is provided, and that seems
> a positive outcome.
>
> *[RWS] I appreciate where you’re coming from with this suggestion, but
> realistically, it’s not likely to happen and I’d rather we take steps to
> come up with a reasonable solution to a not entirely uncommon problem if we
> can.  If we absolutely can’t come to agreement on a reasonable solution,
> I’m fine at that point telling these customers, “Sorry you simply don’t
> qualify,” but at the end of the day I’d rather see us find a way to issue
> EVs to legit organizations.  I don’t see the point to shutting out a legit
> segment of the market because we can’t be bothered to try to find a
> reasonable way to include them.*
>

I'm not sure it's fair to say "we can't be bothered to try and find a
reasonable way" - it could very well be that there simply isn't a
reasonable way, without compromising on our principles, to accommodate
these use cases, in which case, organizations that are left out can ensure
that they meet the necessary minimum bar.

That is, I don't think it would be argued that we can't find a reasonable
way to allow EV certificates for "just" domain holders - rather, from the
perspective of CAs and their goal of EV, it's simply incompatible to issue
to an entity without doing the due-diligence to ensure they meet the
necessary bar (e.g. an incorporated entity). Alternatively, we can look at
the discussion of IV vs EV and see the same bar - the conceptual model
simply doesn't align, and it's not about shutting out segments of markets.

You mentioned "not entirely uncommon", but it's the first time it's been
raised to the Forum that I'm aware of. I'm tremendously appreciative of you
sharing the case you did, because it was a useful exercise in reading and
researching the nature of this situation and the opportunity to better
understand the challenges CAs face. Given that the Indian banking community
is a rather small set, was your "not entirely uncommon" meant to include
other cases? Could you share further details? Or did you really just mean
that there's a number of banks in India that fall under this scenario?


>
>
> Understandably, I'd much rather prefer a whitelist to address such
> situations rather than a blanket exception.
>
> *[RWS] I’m OK with that and is what I was trying to get at with my
> proposed solution.  Do you have any specific feedback regarding that?  I’ll
> flesh it out more and turn it into a ballot if we can some to basic terms
> regarding what we generally want to see happen in an exception case.*
>

Given the additional bits you shared above, I'm hoping you can shed more
light into the "not entirely uncommon" scenarios and other cases you can
think of, which will help better explore what might be a reasonable
compromise, should one exist.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170901/74b15a07/attachment-0001.html>

More information about the Public mailing list