[Smcwg-public] Forbid issuance of certificates to ceased organizations

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Jan 9 16:44:14 UTC 2024 

Hello all,

Authentication of organization identity involves the collection of some 
attributes and their validation. To collect these attributes, a CA 
typically queries a reliable third-party source, e.g. the business 
register of the relevant country. Among the attributes that can be found 
in these sources there is normally also the /operational status /of the 
company, such as e.g. ACTIVE or CEASED.

To me, it seems logical that a certificate should not be issued to a 
ceased company, but this is not specified in the SMBR. I believe we 
should specify it.

In the current SMBR, the entity status is required to be ACTIVE only in 
the particular case of inserting an LEI reference in the certificate 
(which is not mandatory), but not in the more general case. Perhaps an 
oversight?

A company that has gone out of business (e.g. in liquidation) may still 
"exist" in a certain way for some time (you can still check any other 
data regarding it, in the company registry), but it is still a defunct 
company to which in my opinion, a certificate should not be issued. I 
can imagine that someone will have a different opinion and say that 
there is no problem in issuing a certificate to a company in 
liquidation. But then, I see no reason why we require the entity status 
to be ACTIVE "If an LEI data reference is used".

I therefore propose to include a clarification in the SMBRs (possibly in 
section 3.2.3.1) that the operational status of the company is one of 
the attributes to be collected, and that it must be ACTIVE (or the 
equivalent according to the terminology of the relevant country), 
regardless of whether a LEI reference is used or not in the certificate.

Adriano

PS: In my opinion, this also affects the BRs and the CSBRs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240109/92cd15c1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20240109/92cd15c1/attachment.p7s>

More information about the Smcwg-public mailing list