[cabf_validation] Validation Subcommittee - minutes of meeting held 14-Feb-2019

Fri Feb 15 11:24:50 MST 2019

Present: Wayne Thayer, Ben Wilson, Doug Beattie, Dean Coclin, Ryan Sleevi, Bruce Morton, Steve Roylance, Rich Smith, Christof? [BM - I did not record the attendees, nor were the names on the recording, so this could be updated]

Agenda:
1. Assign minutes / start recording
2. LEI discussion
3. IDN encodings and related issues
4. Topics for F2F agenda
5. Pending ballots

1. Bruce Morton was assigned to take minutes and Ben started the recording.

2. LEI Discussion
There was no agenda for the LEI discussion. There were some previously discussed issues presented.
- Do LEIs meet the BR standard for OU?
- LEI information may change over time. The company name may change.
- LEI indication in the certificate is a lookup to other data source which the CA does not verify.
- How are LEIs assigned or reused?
- If there changes can the history be reviewed? Is it time-stamped?

Response
- LEI is a 20 digit alpha-numeric code with no meaning
- One legal entity has one LEI code ever and no LEI code is ever reused
- If a legal entity is acquired but is independent, then it would keep its LEI code
- If a legal entity is acquired, but is not independent, then it would be merged, but the LEI code will remain as retired. Steve Roylance provided an example, https://www.gleif.org/lei/8156003296F50CB59850

How do we make sure that the LEI code was assigned to the legal entity at the time of CA validation? How can you cross-check that the CA validated the LEI code?

Response
- The full history of the reference data is on the site and updated 3 times per day.
- If the data changes, then it will be updated in the LEI database. So an address update will be updated.

What guidelines are there for the Local Organization Units (LOUs) to ensure the data is reliable for all LOUs?

Response
- There is an LOU accreditation process which verifies all processes and procedures. LOU's are revalidated. LOU's may be asked or additional information if there is suspicion that the quality is not met. LOU's may be asked for a remediation plan. An onsite audit may be required.
- There is a challenge process that anyone can open, which the LOU has to address.

What is the validation process for a CA to match an LEI to a legal entity? What are the edge cases?

Response
- Rich Smith stated that he would look for a one-to-one match of information about the entity and the LEI data. Would not allow the data unless it is fully corroborated.
- Fully corroborated means that all fields have been verified. Partly corroborated may mean that only one piece of data was not verified.

Ryan was concerned about using GLEIF as a QIIS. More discussion is required.

Steve Roylance provided best practice LEI and certificates https://www.ubisecure.com/legal-entity-identifier-lei/lei-in-digital-certificates-best-practice-definitions/ 

Agenda items 3, 4 and 5 were not discussed