[Servercert-wg] QI*S and possible improvements

Stephan Wolf Stephan.Wolf at Gleif.org
Thu Dec 5 08:01:05 MST 2019

Fyi – Today we released GLEIF’s registration authorities list v1.5. You’ll find it at: https://www.gleif.org/en/about-lei/code-lists/gleif-registration-authorities-list


Von: Servercert-wg <servercert-wg-bounces at cabforum.org> im Auftrag von "Dimitris Zacharopoulos (HARICA) via Servercert-wg" <servercert-wg at cabforum.org>
Antworten an: "Dimitris Zacharopoulos (HARICA)" <dzacharo at harica.gr>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Datum: Donnerstag, 5. Dezember 2019 um 14:02
An: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Betreff: [Servercert-wg] QI*S and possible improvements


I am creating a new thread to discuss about this interesting topic. I'd like to separate this from specific question I had for the EVG with the decision about what QIS we should use.

Here are my thoughts:

On 2019-12-05 4:38 π.μ., Ryan Sleevi via Servercert-wg wrote:

We should definitely take inspiration from GLEIF, who recognized the fundamental quality issues if you do anything less than that.

As we have discussed in the past for the Network Security Requirements, if there was an industry solution that matched our expectation as an Industry, we should defer to that. Ryan, from your previous messages, I understand that you trust the process that GLEIF is using to vet the local LOUs which seems to be the right place for validating Legal Entities worldwide. We should ensure that this solution:
is widely accepted in similar industries that require organization information to be accurate. I believe this has been answered already since the Banking sector and Governments use this information to make trust decisions
is resilient to attacks with self-reported information. The draft LEI ballot in the Validation Subcommittee discussed about the various "assurance levels" of information and agreed to use "Fully corroborated" information. 
the information is regularly updated. I think this has been established in the process that GLEIF is using 
is regulated by transparent policy. The LEI policy and all related practices are all publicly available 
effective supervision. There seems to be an effective supervision by GLEIF and the hierarchical scheme that is used. Stefan gave us specific examples where LOUs didn't perform their duties as they were supposed to, and they were removed from the scheme. 
... feel free to add other concerns/questions that we should collectively try to answer.
Therefore, my recommendation would be for the SCWG to consider using GLEIF's process and their LOUs as QIS for EV, with a phase-in period of course. Is this something Members would be interested in exploring?

In case information of certain Countries/Territories is missing, we need to develop a process. I am sure there will be few cases that have not been included in the GLEIF scheme.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/26b11edb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5394 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/26b11edb/attachment.p7s>

More information about the Servercert-wg mailing list