[cabf_validation] BR 3.2.2.1 - Applicant’s Address of Existence or Operation

Ben Wilson ben.wilson at digicert.com
Fri May 19 13:54:57 MST 2017


As a follow-up from this week's Validation WG call, here is the section that
has been identified as potentially problematic:

 

3.2.2.1.   Identity

If the Subject Identity Information is to include the name or address of an
organization, the CA SHALL verify the identity and address of the
organization and that the address is the Applicant's address of existence or
operation.  The CA SHALL verify the identity and address of the Applicant
using documentation provided by, or through communication with, at least one
of the following:

 

1.             A government agency in the jurisdiction of the Applicant's
legal creation, existence, or recognition;

2.             A third party database that is periodically updated and
considered a Reliable Data Source; 

3.             A site visit by the CA or a third party who is acting as an
agent for the CA; or

4.             An Attestation Letter.

The CA MAY use the same documentation or communication described in 1
through 4 above to verify both the Applicant's identity and address.  

 

Alternatively, the CA MAY verify the address of the Applicant (but not the
identity of the Applicant) using a utility bill, bank statement, credit card
statement, government-issued tax document, or other form of identification
that the CA determines to be reliable.

 

Note that the first sentence says "address of existence or operation".
"Existence" could mean legal existence or physical existence-but that's not
stated.  Then notice how subsection 1 allows a CA to rely on "the
jurisdiction of the Applicant's legal creation, existence, or recognition".
This is not consistent with the first sentence.  

 

Because this is for OV certificates, I favor a very broad standard that
allows flexible validation of certificate contents - an Applicant's address
that is reported by a government agency as that of its creation,
recognition, physical or legal existence, operation, or other established
presence.  I'd favor the same broad allowance for third party databases.
Both parts of this section need to be fixed - the first part that the
address is the Applicant's address of existence or operation and the second
part that talks about what the documentation is meant to establish.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170519/7f45ef14/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170519/7f45ef14/attachment-0001.bin>


More information about the Validation mailing list