[Smcwg-public] Forbid issuance of certificates to ceased organizations
Adriano Santoni
adriano.santoni at staff.aruba.it
Tue Jan 9 16:44:14 UTC 2024
Hello all,
Authentication of organization identity involves the collection of some
attributes and their validation. To collect these attributes, a CA
typically queries a reliable third-party source, e.g. the business
register of the relevant country. Among the attributes that can be found
in these sources there is normally also the /operational status /of the
company, such as e.g. ACTIVE or CEASED.
To me, it seems logical that a certificate should not be issued to a
ceased company, but this is not specified in the SMBR. I believe we
should specify it.
In the current SMBR, the entity status is required to be ACTIVE only in
the particular case of inserting an LEI reference in the certificate
(which is not mandatory), but not in the more general case. Perhaps an
oversight?
A company that has gone out of business (e.g. in liquidation) may still
"exist" in a certain way for some time (you can still check any other
data regarding it, in the company registry), but it is still a defunct
company to which in my opinion, a certificate should not be issued. I
can imagine that someone will have a different opinion and say that
there is no problem in issuing a certificate to a company in
liquidation. But then, I see no reason why we require the entity status
to be ACTIVE "If an LEI data reference is used".
I therefore propose to include a clarification in the SMBRs (possibly in
section 3.2.3.1) that the operational status of the company is one of
the attributes to be collected, and that it must be ACTIVE (or the
equivalent according to the terminology of the relevant country),
regardless of whether a LEI reference is used or not in the certificate.
Adriano
PS: In my opinion, this also affects the BRs and the CSBRs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240109/92cd15c1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240109/92cd15c1/attachment.p7s>
More information about the Smcwg-public
mailing list