[Servercert-wg] Ballot SC30: Disclosure of Registration / Incorporating Agency

Pedro FUENTES pfuentes at WISEKEY.COM
Wed Jun 17 06:36:52 MST 2020


Hello,
I’d have a comment on the proposed wording, but I don’t find the right way to post it on GitHub.

Would it be acceptable to allow a certain margin to disclose the agency “after x days of issuance”, instead of forcing it to be always “prior”?

My rational is trying to cover the situation where it comes a request from a country/region unusual for the CA and it has to use a new agency that wasn’t listed yet. This would allow that the CA can issue the certificate after choosing the right agency, and it should still commit to disclose the sources, but this wouldn’t block the issuance. A reasonable time could be 3 days, for example.

Best,
Pedro
 

> On 17 Jun 2020, at 01:32, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> This begins the discussion period for Ballot SC30: Disclosure of Registration / Incorporating Agency
> 
> Purpose of Ballot:
> 
> The EV Guidelines aim to ensure a consistent and repeatable level of validation for certificates, regardless of the CA performing the validation, providing Relying Parties consistency for all certificates complying with these Guidelines. Although the Guidelines attempt to specify objective requirements, areas remain that rely on a subjective determination by the CA. One such area is determining whether a given Incorporating Agency or Registration Agency fulfills these Requirements.
> 
> As currently specified, it's possible for one CA to make a determination that a given Registration Agency or Incorporating Agency does meet the requirements of the EV Guidelines, while a different CA determines that same Agency does not. As the reliability of the information validated within the Certificate is tied to the reliability of the data source used to verify this information, this inconsistency undermines the assurance that EV Certificates are meant to provide.
> 
> While there is utility in being able to identify precisely what datasource(s) were used with a given Certificate, this ballot does not involve such work. It merely seeks to ensure that, for any given Organization, it can be validated consistently and to the same degree, regardless of the CA, by working to achieve consistency among all CAs in their selection of data sources.
> 
> Much like the work to remove “Any other method” from the validation of domain names, ensuring consistency, transparency, and objectivity in validating domain names, this ballot is the first step to doing the same for organization information.
> 
> A potential roadmap of ballots to to address these issues involves:
> 
> CAs publish the list of Registration Agencies / Incorporating Agencies they use (this ballot)
> Create an allowed list of Registration Agencies / Incorporating Agencies and associated values, along with a process for updating and adding new ones, and requiring issuance exclusively use Agencies on this list.
> If useful and relevant to Relying Parties, ensure each Certificate can be tied back to their Registration Agency / Incorporating Agency, such as disclosure within the Certificate itself, so they can unambiguously and uniquely determine the organization that has been validated.
> 
> A similar process may then be repeated for other forms of verification data sources, such as the QIIS, QTIS, and QGIS within the EV Guidelines, or the Reliable Data Sources within the Baseline Requirements.
> 
> This was originally drafted in https://github.com/sleevi/cabforum-docs/pull/11 <https://github.com/sleevi/cabforum-docs/pull/11> , and as a pull request is available at https://github.com/cabforum/documents/pull/194 <https://github.com/cabforum/documents/pull/194>
> 
> The following motion has been proposed by Ryan Sleevi of Google and endorsed by Ben Wilson of Mozilla and Dimitris Zacharopoulos of HARICA.
> 
> — MOTION BEGINS —
> 
> This ballot modifies the “Guidelines for the Issuance and Management of Extended Validation Certificates” (“EV Guidelines”) as follows, based on version 1.7.2:
> 
> ADD a paragraph to Section 9.2.4 of the EV Guidelines as defined in the following redline: https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609 <https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609>
> 
> ADD a paragraph to Section 9.2.5 of the EV Guidelines as defined in the following redline: https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609 <https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609>
> 
> ADD a Section 11.1.3 to the EV Guidelines as defined in the following redline: https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609 <https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609>
> 
> The Chair or Vice-Chair is permitted to update the Relevant Dates of the EV Guidelines as appropriate, such as in the following redline: https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609 <https://github.com/cabforum/documents/compare/d5067bbbfb46906c65e476ef3d55dd3b2c505a09..33de720df2af6328922524e675f02cb4468a9609>
> 
> — MOTION ENDS —
> 
> This ballot proposes a Final Maintenance Guideline.
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7+ days)
> Start Time: 17-June 2020 00:00 UTC
> End Time: 24-June 2020 12:00 UTC
> 
> Vote for approval (7 days)
> Start Time: TBD
> End Time: TBD
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg


WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: 29, Rte de Pré-Bois - CP 853 | Geneva 1215 CH - Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200617/0e9bdc30/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3408 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200617/0e9bdc30/attachment-0001.p7s>


More information about the Servercert-wg mailing list