[cabfpub] EV 11.2.1 Private Organization registration number or date
Scott Rea
scott at scottrea.com
Mon Sep 4 07:54:36 UTC 2017
In the use case stated here, the applicant only does not qualify because
there is not a unique ID and date registered with an accepted authority
(if I understand things correctly). So why not ask the organization to
register their company with whoever the country RA is (assuming the
country has an ISO/ITU designated country RA) and then the resulting OID
becomes the ID, a date will be assigned to its registration and the
country RA as part of the registration process ensures that the any
future claimants trying to re-register the same details is the original
entity or not.
Is this an acceptable solution? It would seem that it does not involve
much work and would ensure the technical requirements of EVG are met and
maintained...
No need to change existing EVG.
Thoughts?
Regards,
-Scott
On 9/2/2017 12:16 AM, Ryan Sleevi via Public wrote:
>
>
> On Fri, Sep 1, 2017 at 4:01 PM, Rich Smith <richard.smith at comodo.com
> <mailto:richard.smith at comodo.com>> wrote:
>
> __ __
>
> __ __
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com
> <mailto:sleevi at google.com>]
> *Sent:* Friday, September 1, 2017 1:32 PM
>
> Thanks Rich for sharing the added details about when this case comes
> up.____
>
> __ __
>
> Is it frequent enough to require the 'fail open' case? Do we believe
> that security is improved by that - that is, it seems equally likely
> that if it was 'fail closed" (e.g. deny), then such banks desiring
> EV certificates can/would lobby RBI to ensure such information is
> provided, and that seems a positive outcome.____
>
> */[RWS] I appreciate where you’re coming from with this suggestion,
> but realistically, it’s not likely to happen and I’d rather we take
> steps to come up with a reasonable solution to a not entirely
> uncommon problem if we can. If we absolutely can’t come to
> agreement on a reasonable solution, I’m fine at that point telling
> these customers, “Sorry you simply don’t qualify,” but at the end of
> the day I’d rather see us find a way to issue EVs to legit
> organizations. I don’t see the point to shutting out a legit
> segment of the market because we can’t be bothered to try to find a
> reasonable way to include them./*
>
>
> I'm not sure it's fair to say "we can't be bothered to try and find a
> reasonable way" - it could very well be that there simply isn't a
> reasonable way, without compromising on our principles, to accommodate
> these use cases, in which case, organizations that are left out can
> ensure that they meet the necessary minimum bar.
>
> That is, I don't think it would be argued that we can't find a
> reasonable way to allow EV certificates for "just" domain holders -
> rather, from the perspective of CAs and their goal of EV, it's simply
> incompatible to issue to an entity without doing the due-diligence to
> ensure they meet the necessary bar (e.g. an incorporated entity).
> Alternatively, we can look at the discussion of IV vs EV and see the
> same bar - the conceptual model simply doesn't align, and it's not about
> shutting out segments of markets.
>
> You mentioned "not entirely uncommon", but it's the first time it's been
> raised to the Forum that I'm aware of. I'm tremendously appreciative of
> you sharing the case you did, because it was a useful exercise in
> reading and researching the nature of this situation and the opportunity
> to better understand the challenges CAs face. Given that the Indian
> banking community is a rather small set, was your "not entirely
> uncommon" meant to include other cases? Could you share further details?
> Or did you really just mean that there's a number of banks in India that
> fall under this scenario?
>
>
> ____
>
> __ __
>
> Understandably, I'd much rather prefer a whitelist to address such
> situations rather than a blanket exception.____
>
> */[RWS] I’m OK with that and is what I was trying to get at with my
> proposed solution. Do you have any specific feedback regarding
> that? I’ll flesh it out more and turn it into a ballot if we can
> some to basic terms regarding what we generally want to see happen
> in an exception case./*
>
>
> Given the additional bits you shared above, I'm hoping you can shed more
> light into the "not entirely uncommon" scenarios and other cases you can
> think of, which will help better explore what might be a reasonable
> compromise, should one exist.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
--
Scott Rea, MSc, CISSP
Ph# (801) 874-4114
More information about the Public
mailing list