[Servercert-wg] Ballot SC30: Disclosure of Registration / Incorporating Agency

Ryan Sleevi sleevi at google.com
Tue Jun 16 16:32:17 MST 2020


This begins the discussion period for Ballot SC30: Disclosure of
Registration / Incorporating Agency


*Purpose of Ballot:*
The EV Guidelines aim to ensure a consistent and repeatable level of
validation for certificates, regardless of the CA performing the
validation, providing Relying Parties consistency for all certificates
complying with these Guidelines. Although the Guidelines attempt to specify
objective requirements, areas remain that rely on a subjective
determination by the CA. One such area is determining whether a given
Incorporating Agency or Registration Agency fulfills these Requirements.

As currently specified, it's possible for one CA to make a determination
that a given Registration Agency or Incorporating Agency does meet the
requirements of the EV Guidelines, while a different CA determines that
same Agency does not. As the reliability of the information validated
within the Certificate is tied to the reliability of the data source used
to verify this information, this inconsistency undermines the assurance
that EV Certificates are meant to provide.

While there is utility in being able to identify precisely what
datasource(s) were used with a given Certificate, this ballot does not
involve such work. It merely seeks to ensure that, for any given
Organization, it can be validated consistently and to the same degree,
regardless of the CA, by working to achieve consistency among all CAs in
their selection of data sources.

Much like the work to remove “Any other method” from the validation of
domain names, ensuring consistency, transparency, and objectivity in
validating domain names, this ballot is the first step to doing the same
for organization information.

A potential roadmap of ballots to to address these issues involves:


   - CAs publish the list of Registration Agencies / Incorporating Agencies
   they use (this ballot)
   - Create an allowed list of Registration Agencies / Incorporating
   Agencies and associated values, along with a process for updating and
   adding new ones, and requiring issuance exclusively use Agencies on this
   list.
   - If useful and relevant to Relying Parties, ensure each Certificate can
   be tied back to their Registration Agency / Incorporating Agency, such as
   disclosure within the Certificate itself, so they can unambiguously and
   uniquely determine the organization that has been validated.


A similar process may then be repeated for other forms of verification data
sources, such as the QIIS, QTIS, and QGIS within the EV Guidelines, or the
Reliable Data Sources within the Baseline Requirements.

This was originally drafted in
https://github.com/sleevi/cabforum-docs/pull/11 , and as a pull request is
available at https://github.com/cabforum/documents/pull/194

The following motion has been proposed by Ryan Sleevi of Google and
endorsed by Ben Wilson of Mozilla and Dimitris Zacharopoulos of HARICA.

*— MOTION BEGINS —*

This ballot modifies the “Guidelines for the Issuance and Management of
Extended Validation Certificates” (“EV Guidelines”) as follows, based on
version 1.7.2:

ADD a paragraph to Section 9.2.4 of the EV Guidelines as defined in the
following redline:
https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609

ADD a paragraph to Section 9.2.5 of the EV Guidelines as defined in the
following redline:
https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609

ADD a Section 11.1.3 to the EV Guidelines as defined in the following
redline:
https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609

The Chair or Vice-Chair is permitted to update the Relevant Dates of the EV
Guidelines as appropriate, such as in the following redline:
https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609

*— MOTION ENDS —*

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)
Start Time: 17-June 2020 00:00 UTC
End Time: 24-June 2020 12:00 UTC

Vote for approval (7 days)
Start Time: TBD
End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200616/722fa1b6/attachment.html>


More information about the Servercert-wg mailing list