[Servercert-wg] QI*S and possible improvements

Ryan Sleevi sleevi at google.com
Thu Dec 5 09:56:35 MST 2019 

snipping a bunch to make it easier to view in the web archives in the
future :)

On Thu, Dec 5, 2019 at 11:25 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

>
>>    1. is resilient to attacks with self-reported information. The draft
>>    LEI ballot in the Validation Subcommittee discussed about the various
>>    "assurance levels" of information and agreed to use "Fully corroborated"
>>    information.
>>
>> This is certainly not the case.
>
>
> Why not? LOUs (LEI Issuers) use the information from the list of
> "Registration Authorities" to validate the Organization Information and
> issue an LEI.
>

To try and clarify the terminology:
An LEI Registration Authority is like-an EVG QGIS
An LEI LOU is like-an EVG RA

An LEI RA is not the same as an EVG RA
An LEI LOU is not the same as an EVG Q*IS

And, in particular, the discussion is not about the use of GLEIF as a QIIS,
but about the definitions within the EV Guidelines with respect to
"Incorporating or Registration Agency", which is a much narrower set.


> If the GLEIF scheme requires an LOU to go through at least the same level
> of rigor as described in the EV Guidelines for the "Fully Corroborated"
> assurance level (to accept the "Registration Authority" as reliable for
> "Fully Corroborated information"), why should this be repeated?
>

That's the thing: the GLEIF scheme does not place anywhere remotely
comparable requirements on LOUs as the EVGs (and NCSSRs) do on RAs.

And that's OK, because they're solving different things. The threat model
for a "mis-issued" LEI is vastly different than the threat-model for an RA,
because they're solving different problems, and not only would it not be
desirable for the requirements to be the same, it'd probably be highly
undesirable!

Yes, the terminology is confusing. My intended suggestion was to use
> GLEIF's Registration Authorities as a collection of potential QISs. GLEIF
> has more than 700 "Registration Authorities", which are basically "business
> registries", which could be used as QIS according to the EV Guidelines if
> they additionally passed the requirements of 11.11.5 (for QIIS), 11.11.6
> (for QGIS). Is this correct?
>

Yes, this is closer to what I was suggesting. The list of GLEIF RAs is very
different than the list of GLEIF LOUs.

However, I mentioned (and other CAs have also pointed out), the set of
GLEIF RAs are not aligned with the set of EVG criteria for Q*IS for
purposes of incorporation information, because LEIs are looking at a
different subset of the problem than the EVGs. I know I've had the most
conversations with DigiCert on this, although I hope other CAs have similar
experience, particularly in the discussions about how LEIs are used to
identify regulated financial entities, which can represent a different set
of information from the incorporation. That is, for an LEI, it may be
sufficient to reference simply that an entity is a recognized financial
institution, but that's not the same as the incorporation details of that
institution.

There's a lot more nuance here, and that's why I proposed the bottom-up
approach rather than the top-down. That bottom-up approach should
definitely consider the experience that GLEIF had with their own bottom-up
approach of defining the initial RA list. However, it should also be true
that CAs already have their list of Incorporating Agency or Registration
Agency, which is the first step here.

It *may* be that GLEIF can be used as a QIIS with respect to other
attributes, but the discussion previously about jurisdictionOf* is specific
to "Incorporation Agency" and "Registration Agency", and that's something
separate.


> While searching more information about the "fully corroborated" status of
> vetted information (does it come from only one "RA"? Multiple "RAs"? Are
> there different "assurance levels" for "RAs"?), I think it is worth
> exploring the option of using this list, at least as "input" for the
> "Qualified" algorithm described in the EVG. Obviously further work is
> needed to analyze this list against lists that other CAs, like Digicert,
> have disclosed.
>

The corroboration depends on the information being presented and its
availability across data-sources. Not every RA provides every field that
GLEIF can express, which can cause the issues. Specific, however, to the
discussion here in the Forum, with respect to the jurisdictional
information of incorporation, I don't think we need to (nor does the EVGs
permit, nor should it) the use of GLEIF itself as the Registration Agency.
It's merely the pointer to the Registration Agency, which the CA themselves
needs to validate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/37103a4f/attachment.html>

More information about the Servercert-wg mailing list