[cabfpub] EV 11.2.1 Private Organization registration number or date

Moudrick M. Dadashov md at ssc.lt
Mon Sep 4 04:28:19 MST 2017 

This is  good idea, but unfortunately, hardly realizable - the fact that 
a country has ISO/ITU designated RA, doesn't mean you can get an OID...

Thanks,
M.D.

On 9/4/2017 10:54 AM, Scott Rea via Public wrote:
> In the use case stated here, the applicant only does not qualify because
> there is not a unique ID and date registered with an accepted authority
> (if I understand things correctly). So why not ask the organization to
> register their company with whoever the country RA is (assuming the
> country has an ISO/ITU designated country RA) and then the resulting OID
> becomes the ID, a date will be assigned to its registration and the
> country RA as part of the registration process ensures that the any
> future claimants trying to re-register the same details is the original
> entity or not.
> Is this an acceptable solution? It would seem that it does not involve
> much work and would ensure the technical requirements of EVG are met and
> maintained...
> No need to change existing EVG.
> Thoughts?
>
> Regards,
> -Scott
>
> On 9/2/2017 12:16 AM, Ryan Sleevi via Public wrote:
>>
>> On Fri, Sep 1, 2017 at 4:01 PM, Rich Smith <richard.smith at comodo.com
>> <mailto:richard.smith at comodo.com>> wrote:
>>
>>      __ __
>>
>>      __ __
>>
>>      *From:* Ryan Sleevi [mailto:sleevi at google.com
>>      <mailto:sleevi at google.com>]
>>      *Sent:* Friday, September 1, 2017 1:32 PM
>>
>>      Thanks Rich for sharing the added details about when this case comes
>>      up.____
>>
>>      __ __
>>
>>      Is it frequent enough to require the 'fail open' case? Do we believe
>>      that security is improved by that - that is, it seems equally likely
>>      that if it was 'fail closed" (e.g. deny), then such banks desiring
>>      EV certificates can/would lobby RBI to ensure such information is
>>      provided, and that seems a positive outcome.____
>>
>>      */[RWS] I appreciate where you’re coming from with this suggestion,
>>      but realistically, it’s not likely to happen and I’d rather we take
>>      steps to come up with a reasonable solution to a not entirely
>>      uncommon problem if we can.  If we absolutely can’t come to
>>      agreement on a reasonable solution, I’m fine at that point telling
>>      these customers, “Sorry you simply don’t qualify,” but at the end of
>>      the day I’d rather see us find a way to issue EVs to legit
>>      organizations.  I don’t see the point to shutting out a legit
>>      segment of the market because we can’t be bothered to try to find a
>>      reasonable way to include them./*
>>
>>
>> I'm not sure it's fair to say "we can't be bothered to try and find a
>> reasonable way" - it could very well be that there simply isn't a
>> reasonable way, without compromising on our principles, to accommodate
>> these use cases, in which case, organizations that are left out can
>> ensure that they meet the necessary minimum bar.
>>
>> That is, I don't think it would be argued that we can't find a
>> reasonable way to allow EV certificates for "just" domain holders -
>> rather, from the perspective of CAs and their goal of EV, it's simply
>> incompatible to issue to an entity without doing the due-diligence to
>> ensure they meet the necessary bar (e.g. an incorporated entity).
>> Alternatively, we can look at the discussion of IV vs EV and see the
>> same bar - the conceptual model simply doesn't align, and it's not about
>> shutting out segments of markets.
>>
>> You mentioned "not entirely uncommon", but it's the first time it's been
>> raised to the Forum that I'm aware of. I'm tremendously appreciative of
>> you sharing the case you did, because it was a useful exercise in
>> reading and researching the nature of this situation and the opportunity
>> to better understand the challenges CAs face. Given that the Indian
>> banking community is a rather small set, was your "not entirely
>> uncommon" meant to include other cases? Could you share further details?
>> Or did you really just mean that there's a number of banks in India that
>> fall under this scenario?
>>   
>>
>>      ____
>>
>>      __ __
>>
>>      Understandably, I'd much rather prefer a whitelist to address such
>>      situations rather than a blanket exception.____
>>
>>      */[RWS] I’m OK with that and is what I was trying to get at with my
>>      proposed solution.  Do you have any specific feedback regarding
>>      that?  I’ll flesh it out more and turn it into a ballot if we can
>>      some to basic terms regarding what we generally want to see happen
>>      in an exception case./*
>>
>>   
>> Given the additional bits you shared above, I'm hoping you can shed more
>> light into the "not entirely uncommon" scenarios and other cases you can
>> think of, which will help better explore what might be a reasonable
>> compromise, should one exist.
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170904/27732e6d/attachment-0001.html>

More information about the Public mailing list