[cabf_validation] Change to EV 9.2.7

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Mar 6 11:14:23 MST 2017


I'm certainly open to changes - but I just want to say I'm not sure there is a company "legal" address in all jurisdictions.  There may (or may not) be an address in the government registry that is actually a location for a company office -- in many cases in the UK, the ONLY address for a company you see in Companies House is the address of the company's law firm (its agent for service of process and official notices).

I think the EV 9.2.7 concept was for the CA to confirm SOME office location where the company can be found.  In general, we use a QIIS like Hoovers / D&B, which pretty clearly lists physical locations where company operations occur (not necessarily the "legal" address for the company you would find in a government registry -- which may not actually be an address where the company has operations).

So I think the VWG should maybe start by deciding what they want this field to be -- some confirmed location where the company can physically be found (i.e., where runs its operations), or a location that is the company's "legal" location in government records, or both/either?  Then we can make any edits needed.

-----Original Message-----
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Adriano Santoni via Validation
Sent: Monday, March 6, 2017 5:14 AM
To: validation at cabforum.org
Cc: Adriano Santoni <adriano.santoni at staff.aruba.it>
Subject: Re: [cabf_validation] Change to EV 9.2.7

... and further to my previous remarks on EV certificates, I still believe that the BRs should be improved in the section describing requirements on address validation:

<<3.2.2.1. Identity
If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant's address of existence or operation.>>

Taken at face value, this sentence implies that either one address ("the ... address of existence") or the other ("[address of] ... operation") can be inserted in an OV certificate, tertium non datur.

First issue, "address of existance" has no obvious meaning and neither is it defined in the BRs. So I would either define it, or replace it it with a more common locution (e.g. official / legal address).
Second issue, I would remove that definite article "the" and use plurals
-- if this is what we (CAs and browsers) actually mean .

How about rephrasing this sentence like follow:

<<3.2.2.1. Identity
If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address either is one of the Applicant's legal addressses or one of the Applicant's business addresses (i.e. a location where the Applicant runs its business from).>>

I am sure the language can be improved, but I think you grasp what I mean....

Adriano




Il 06/03/2017 12:23, Adriano Santoni via Validation ha scritto:
>
> Kirk, what you propose seems reasonable from a practical point of 
> view, and I guess it's the more common interpretation among CAs, but 
> it inevitably leads to the possibility that several certificates 
> issued to the same organization have different addresses in them. If 
> nothing else, this is ugly to me. If the address of an organization is 
> part of its identity (and I would say it is), then I do not expect 
> that address to vary among several certificates issued to the same 
> organization. At least, not in EV certificates.
>
> Adriano
>
>
> Il 05/03/2017 03:14, Kirk Hall ha scritto:
>>
>> Hmmm...  I would not want to limit certificate Applicants to only one 
>> "official" place of business.  I think it should be any physical 
>> location where the CA can prove the Applicant maintains an official 
>> place of business.
>>
>> For example, my previous company Trend Micro had major offices in 
>> Cupertino, CA, Irving, TX, and Tokyo.  All three could be confirmed 
>> in D&B/Hoover's. In North America, the "headquarters" was Texas, but 
>> Japan was the official "headquarters".  However, the US company was a 
>> California corporation that listed its Cupertino CA address - but 
>> that was not "headquarters".  I think in some jurisdictions (like the 
>> UK - Companies House), the "official registered office" address in 
>> the government record is NOT a physical location of any company 
>> office, but  the location of its Registered Agent (maybe a law firm).
>>
>> If you look at a QIIS like Hoover's, for some businesses you may see
>> 20 or 100 confirmed business location addresses listed.  Sometimes 
>> one is designated "Headquarters", but it may be a small office in a 
>> tax jurisdiction, etc., and/or the IT department may all be located 
>> at a different confirmed physical location the customer wants.
>>
>> So I think we should only require a CA to confirm physical location 
>> of "an" office of the Applicant (using a QIIS or QGIS), as there may 
>> not be "the" office. And I would not require CAs to use the address 
>> listed in the government registry, as it may not reflect any physical 
>> location where the Applicant does business.
>>
>> As I recall, this part of the EVGL (at least) was intended to help 
>> people have *some* physical address where they could find the actual 
>> business, not agents, etc.  We did separately require the CA to also 
>> record the Registered Agent information as found in the government 
>> record.
>>
>> So I would recommend we change "the" to "a" in EVG: 9.2.7 the next 
>> time we do a general cleanup ballot.  Or change to read " the 
>> physical location *one*of the Subject's Places of Business
>>
>> 9.2.7. Subject Physical Address of Place of Business Field
>>
>> Certificate fields:
>>
>> Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> City or town:subject:localityName (OID: 2.5.4.7)
>>
>> State or province (where applicable): subject:stateOrProvinceName
>> (OID: 2.5.4.8)
>>
>> Country: subject:countryName (OID: 2.5.4.6)
>>
>> Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> Required/Optional: City, state, and country - Required; Street and 
>> postal code - Optional
>>
>> Contents: This field MUST contain the address of the physical 
>> location of the Subject's Place of Business.
>>
>> -----Original Message-----
>> From: Validation [mailto:validation-bounces at cabforum.org] On Behalf 
>> Of Adriano Santoni via Validation
>> Sent: Thursday, March 2, 2017 11:44 PM
>> To: validation at cabforum.org
>> Cc: Adriano Santoni <adriano.santoni at staff.aruba.it>
>> Subject: Re: [cabf_validation] Change to EV 9.2.7
>>
>> +1
>>
>> Il 02/03/2017 20:28, Mark B. Cooper via Validation ha scritto:
>>
>> >
>>
>> > I suspect defining the place of business as being the legally
>>
>> > registered location of the business would be a more accurate and
>>
>> > descriptive term. This would be easier to verify in D&B records as
>>
>> > well as other sources. "a place" of business is going to be much
>>
>> > harder for issuers to verify as a business may have many locations
>>
>> > that aren't necessarily registered with entities.
>>
>> >
>>
>> > -Mark
>>
>> >
>>
>> > *Mark B. Cooper*
>>
>> >
>>
>> > President & Founder
>>
>> >
>>
>> > PKI Solutions Inc.
>>
>> >
>>
>> > www.pkisolutions.com <http://www.pkisolutions.com>
>>
>> >
>>
>> > Telephone: +1 971 231 5523
>>
>> >
>>
>> > *From:* Validation [mailto:validation-bounces at cabforum.org] *On 
>> > Behalf
>>
>> > Of *Rick Andrews via Validation
>>
>> > *Sent:* Wednesday, March 1, 2017 3:48 PM
>>
>> > *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
>> <mailto:validation at cabforum.org>>
>>
>> > *Cc:* Rick Andrews <Rick_Andrews at symantec.com
>> <mailto:Rick_Andrews at symantec.com>>
>>
>> > *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>>
>> >
>>
>> > Jeremy,
>>
>> >
>>
>> > "This field MUST contain the address of the physical location of 
>> > the
>>
>> > Subject's Place of Business." What does "the" mean here? Many
>>
>> > businesses have multiple physical locations. Should it be "a" instead?
>>
>> > Should we clarify that it doesn't have to be the physical location 
>> > of
>>
>> > the server(s) hosting the certificate?
>>
>> >
>>
>> > -Rick
>>
>> >
>>
>> > *From:* Validation [mailto:validation-bounces at cabforum.org] *On 
>> > Behalf
>>
>> > Of *Jeremy Rowley via Validation
>>
>> > *Sent:* Wednesday, February 22, 2017 11:30 PM
>>
>> > *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
>>
>> > <mailto:validation at cabforum.org>>
>>
>> > *Cc:* Jeremy Rowley <jeremy.rowley at digicert.com
>>
>> > <mailto:jeremy.rowley at digicert.com>>
>>
>> > *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>>
>> >
>>
>> > I've created this as ballot 191. Do we have a second endorser?
>>
>> >
>>
>> > Ballot 191 - Clarify Place of Business Information Field Inclusion
>>
>> >
>>
>> > The current EV Guidelines are not clear on what address information 
>> > is
>>
>> > required in a certificate. This ballot clarifies the requirements.
>>
>> >
>>
>> > --Motion Begins--
>>
>> >
>>
>> > A. Modify Section 9.2.7 as follows:
>>
>> >
>>
>> > '''9.2.7. Subject Physical Address of Place of Business Field'''
>>
>> >
>>
>> > Certificate fields:
>>
>> >
>>
>> > Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> >
>>
>> > City or town: subject:localityName (OID: 2.5.4.7)
>>
>> >
>>
>> > State or province (where applicable): subject:stateOrProvinceName
>>
>> > (OID: 2.5.4.8)
>>
>> >
>>
>> > Country: subject:countryName (OID: 2.5.4.6)
>>
>> >
>>
>> > Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> >
>>
>> > Required/Optional: --(City, state, and country - Required; Street 
>> > and
>>
>> > postal code - Optional)-- __As stated in Section 7.1.4.2.2 d, e, f, 
>> > g
>>
>> > and h of the Baseline Requirements__
>>
>> >
>>
>> > Contents: This field MUST contain the address of the physical 
>> > location
>>
>> > of the Subject's Place of Business.
>>
>> >
>>
>> > --Motion Ends--
>>
>> >
>>
>> > *From:* Validation [mailto:validation-bounces at cabforum.org] *On 
>> > Behalf
>>
>> > Of *Bruce Morton via Validation
>>
>> > *Sent:* Wednesday, January 25, 2017 12:51 PM
>>
>> > *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
>>
>> > <mailto:validation at cabforum.org>>
>>
>> > *Cc:* Bruce Morton <Bruce.Morton at entrustdatacard.com
>>
>> > <mailto:Bruce.Morton at entrustdatacard.com>>
>>
>> > *Subject:* [cabf_validation] Change to EV 9.2.7
>>
>> >
>>
>> > To deal with the Require/Optional requirement or the Place of
>>
>> > Business, I propose a simple change which will make the EV 
>> > Guidelines
>>
>> > consistent with the Baseline Requirements.
>>
>> >
>>
>> > The EV Guidelines currently state:
>>
>> >
>>
>> > *9.2.7. Subject Physical Address of Place of Business Field*
>>
>> >
>>
>> > *Certificate fields:*
>>
>> >
>>
>> > Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> >
>>
>> > City or town: subject:localityName (OID: 2.5.4.7)
>>
>> >
>>
>> > State or province (where applicable): subject:stateOrProvinceName
>>
>> > (OID: 2.5.4.8)
>>
>> >
>>
>> > Country: subject:countryName (OID: 2.5.4.6)
>>
>> >
>>
>> > Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> >
>>
>> > *Required/Optional:* City, state, and country - Required; Street 
>> > and
>>
>> > postal code - Optional
>>
>> >
>>
>> > *Contents:* This field MUST contain the address of the physical
>>
>> > location of the Subject's Place of Business.
>>
>> >
>>
>> > To address the Required/Optional issue, I propose the following change.
>>
>> >
>>
>> > *9.2.7. Subject Physical Address of Place of Business Field*
>>
>> >
>>
>> > *Certificate fields:*
>>
>> >
>>
>> > Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> >
>>
>> > City or town: subject:localityName (OID: 2.5.4.7)
>>
>> >
>>
>> > State or province (where applicable): subject:stateOrProvinceName
>>
>> > (OID: 2.5.4.8)
>>
>> >
>>
>> > Country: subject:countryName (OID: 2.5.4.6)
>>
>> >
>>
>> > Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> >
>>
>> > *Required/Optional:* As stated in Section 7.1.4.2.2 d, e, f, g and 
>> > h
>>
>> > of the Baseline Requirements
>>
>> >
>>
>> > *Contents:* This field MUST contain the address of the physical
>>
>> > location of the Subject's Place of Business.
>>
>> >
>>
>> >
>>
>> >
>>
>> > _______________________________________________
>>
>> > Validation mailing list
>>
>> > Validation at cabforum.org <mailto:Validation at cabforum.org>
>>
>> > https://cabforum.org/mailman/listinfo/validation
>>
>> --
>>
>> Cordiali saluti,
>>
>> Adriano Santoni
>>
>> ACTALIS S.p.A.
>>
>> (Aruba Group)
>>
>
> --
>
> Cordiali saluti,
>
> Adriano Santoni
> ACTALIS S.p.A.
> (Aruba Group)
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation

-- 

Cordiali saluti,

Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)




More information about the Validation mailing list