[cabf_validation] [EXTERNAL]Re: Making progress on disclosures of data sources

Thu Apr 23 09:22:23 MST 2020

Stephan,

I wasn't talking about CA's lists being longer. In the specific case, for
the specific problem we're talking about, individuals don't matter - we're
talking about Registration Agencies / Incorporating Agencies.

Yes, I'm aware of organizations on GLEIF's list that would be questionable
as to whether they meet the requirement for the EV Guidelines requirements.

However, discussing those particular organizations doesn't help move us
closer to the goal of improved transparency and consistency among CAs,
unless the proposal is to wholesale adopt the GLEIF list. As shared in
Bratislava, we're not supportive of that, because there are a different set
of goals and purposes for our respective criteria. Despite these
differences, however, I think GLEIF is a good model about the /approach/ to
use to address that, and a good example of the benefit (to relying parties)
by doing such an exercise.

That's why this emphasis on transparency, so that we can move to build a
common list to ensure consistency between CAs (equivalent to your LOUs),
and ensure consistency for relying parties (similar to the inclusion of the
RA ID within the LEI data). However, wholesale adopting a dependency on
GLEIF or GLEIF's lists is not a goal.

On Thu, Apr 23, 2020 at 11:25 AM Stephan Wolf <Stephan.Wolf at gleif.org>
wrote:

> Ryan,
>
>
>
> I understand that the CA’s lists must be much longer. You also validate
> individuals. However, have you seen any entry on the GLEIF list that
> wouldn’t find your support? Maybe that’s starting point …
>
>
>
> Thx
>
> Stephan
>
>
>
> *Von: *Ryan Sleevi <sleevi at google.com>
> *Datum: *Donnerstag, 23. April 2020 um 15:57
> *An: *Stephan Wolf <Stephan.Wolf at Gleif.org>
> *Cc: *CA/Browser Forum Validation SC List <validation at cabforum.org>
> *Betreff: *Re: [cabf_validation] [EXTERNAL]Re: Making progress on
> disclosures of data sources
>
>
>
>
>
>
>
> On Thu, Apr 23, 2020 at 1:19 AM Stephan Wolf <Stephan.Wolf at gleif.org>
> wrote:
>
> If it helps, on GLEIF’s registration authorities list you’ll find 5
> Swedish offices suited for validation.
>
>
> https://www.gleif.org/en/about-lei/code-lists/gleif-registration-authorities-list
>
>
>
> Yes, we previously discussed that - the message from me you're replying to
> had some links to that past discussion.
>
>
>
> There was even discussion about whether or not it's appropriate to use
> GLEIF's list wholesale, shared both on the list and during our recent F2F
> in Bratislava. The concern is that the set of objectives with respect to
> Incorporating Agency and Registration Agency are somewhat different than
> GLEIF's RA list, and so while there's probably an 80% or more overlap,
> that's not 100%. The objective, which despite certain posts on the list was
> otherwise uncontroversial, as to get to a point where we could offer
> Relying Parties the same certainty, and consistency, and LEI ensures all of
> its LOUs offer.
>
>
>
> In the end, whether or not the CA/Browser Forum is able to succeed as an
> organization, and whether CAs are able to be trusted to provide information
> about organizations, is largely dependent upon the ability to self-regulate
> and address the pernicious data quality issues, including the selection of
> data sources. Our goal here is to try and collaboratively move to a model
> of unambiguous requirements, where all CAs consistently provide a baseline
> level of quality and service. We've been trying, for half a year now, in
> response to the wide industry trends, to get to a point where CAs disclose
> their sources used, and that we can make progress on an approach similar to
> GLEIF, and potentially in collaboration with GLEIF and other international
> organizations.
>
>
>
> However, thus far, all attempts at voluntary disclosure have been
> rebuffed, except for DigiCert. Despite commitments from other CAs in the
> past, including GlobalSign and Entrust Datacard, that they would work to
> disclose their data sources, we've not made progress. This ballot is an
> attempt to make forward progress here, while affording CAs the same
> flexibility in judgement and selection that they have today, but with
> simply added transparency to improve trust and build better industry
> awareness and understanding.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200423/05bc4bb9/attachment.html>