[Servercert-wg] QI*S and possible improvements

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Dec 5 06:00:24 MST 2019 

I am creating a new thread to discuss about this interesting topic. I'd 
like to separate this from specific question I had for the EVG with the 
decision about what QIS we should use.

Here are my thoughts:

On 2019-12-05 4:38 π.μ., Ryan Sleevi via Servercert-wg wrote:
> We should definitely take inspiration from GLEIF, who recognized the 
> fundamental quality issues if you do anything less than that.

As we have discussed in the past for the Network Security Requirements, 
if there was an industry solution that matched our expectation as an 
Industry, we should defer to that. Ryan, from your previous messages, I 
understand that you trust the process that GLEIF is using to vet the 
local LOUs which seems to be the right place for validating Legal 
Entities worldwide. We should ensure that this solution:

 1. is widely accepted in similar industries that require organization
    information to be accurate. I believe this has been answered already
    since the Banking sector and Governments use this information to
    make trust decisions
 2. is resilient to attacks with self-reported information. The draft
    LEI ballot in the Validation Subcommittee discussed about the
    various "assurance levels" of information and agreed to use "Fully
    corroborated" information.
 3. the information is regularly updated. I think this has been
    established in the process that GLEIF is using
 4. is regulated by transparent policy. The LEI policy and all related
    practices are all publicly available
 5. effective supervision. There seems to be an effective supervision by
    GLEIF and the hierarchical scheme that is used. Stefan gave us
    specific examples where LOUs didn't perform their duties as they
    were supposed to, and they were removed from the scheme.
 6. ... feel free to add other concerns/questions that we should
    collectively try to answer.

Therefore, my recommendation would be for the SCWG to consider using 
GLEIF's process and their LOUs as QIS for EV, with a phase-in period of 
course. Is this something Members would be interested in exploring?

In case information of certain Countries/Territories is missing, we need 
to develop a process. I am sure there will be few cases that have not 
been included in the GLEIF scheme.


Dimitris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/78fdd18b/attachment.html>

More information about the Servercert-wg mailing list