[cabfpub] EV 11.2.1 Private Organization registration number or date

Ryan Sleevi sleevi at google.com
Fri Sep 1 18:31:58 UTC 2017


Thanks Rich for sharing the added details about when this case comes up.

Is it frequent enough to require the 'fail open' case? Do we believe that
security is improved by that - that is, it seems equally likely that if it
was 'fail closed" (e.g. deny), then such banks desiring EV certificates
can/would lobby RBI to ensure such information is provided, and that seems
a positive outcome.

Understandably, I'd much rather prefer a whitelist to address such
situations rather than a blanket exception.

On Fri, Sep 1, 2017 at 10:56 AM, Rich Smith via Public <public at cabforum.org>
wrote:

> To follow up, first, I agree with Ryan that issuance w/out either
> registration number or registration date is prohibited under current EVG
> text.
>
>
>
> I’d like to see us make some change to the Guidelines to address this
> because I’ve come across several examples over the years where this has
> been the case.  I think the basic assumption that one or the other would
> generally be available is generally true for a standard corporate
> registration, though not in every jurisdiction.
>
>
>
> Where I’ve come across this, to the best of my recollection, and as in
> this case, has been banks and other financial institutions, or possibly
> insurance companies, and the like where they are registered and
> administered by government entities other than the standard corporate
> registries.
>
>
>
> This particular case is a bank in India.  Banks in India are registered
> with and overseen by the Reserve Bank of India.  They maintain a list of
> banks here:
>
> https://rbi.org.in/scripts/AboutUsDisplay.aspx?pg=RegionalRuralBanks.htm
>
>
>
> As you can see, they show bank name, address, phone number and website.
> Our validation agents report that they have contacted the RBI by phone and
> were unable to obtain the required information.
>
>
>
> Possible solution, taking Ryan’s comments to mind:
>
> Change “CA SHALL” to “CA SHOULD”, with additional guidance that exceptions
> MUST be posted for Forum review/discussion to the Public list no fewer than
> 7 days prior to issuance.  Thereafter, issuance may take place if no member
> can point out another source from which the required information may be
> obtained, and the exception will be logged/tracked in an added Appendix to
> the EVGs
>
>
>
> Thoughts?
>
>
>
> Regards,
>
> Rich
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Geoff
> Keating via Public
> *Sent:* Thursday, August 31, 2017 5:36 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] EV 11.2.1 Private Organization registration
> number or date
>
>
>
>
>
>
>
> On 31 Aug 2017, at 2:42 pm, Kirk Hall via Public <public at cabforum.org>
> wrote:
>
>
>
> Geoff – clearly this applicant will now be denied, but I have to disagree
> with one of your underlying assumptions below - “there is no way to
> uniquely identify the entity”.  Rich Smith of Comodo indicated that the
> applicant’s corporate registration had been confirmed with the government
> authority – perhaps based on address or some other identifying factor.
> Again, when we drafted the EVGL (I think I drafted this particular
> section), we assumed there would be a registration number or date of
> registration in all records (we were wrong), but even without that, a CA
> would have the ability to confirm proper corporate registration tied to the
> applicant’s unique identity so that identity would be confirmed.
>
>
>
> Even assuming that there isn’t the possibility of two simultaneous
> registrations of different entities with the same name (hopefully the
> government authority prevents this), one question is whether, in future,
> this entity could dissolve, and a new distinct entity could be created with
> the same name at the same address.  I don’t know what kind of entity we’re
> talking about, so I don’t know how easy this would be.  In some cases, for
> example partnerships in the US, this happens routinely and frequently.
>
>
>
> I think we should amend EVGL 11.2.1 (1)(c) to allow some other method for
> recording the confirmation of proper corporate registration.  Since Rich
> knows the facts if this case, I’ll leave it to him to come up with any
> amending language.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170901/39cd697a/attachment-0003.html>


More information about the Public mailing list