[cabf_validation] Identity and trust beyond EV Certificates

[Henrik Biering]

I am new to this forum, but for some time I have followed the 
discussions of enhanced validation both on the CA/Browser Forum lists 
and in the wild. Personally, I am convinced that much more needs to be 
done to facilitate internet wide identity, trust, and service discovery. 
Otherwise we may see all trade moving into confined market places with 
their own proprietary identity and trust mechanisms.

Nevertheless, browsers have demoted visual indicators for EV 
certificates. They refer to insufficient adoption among service 
providers to reach a tipping point that would justify the use of clear 
negative indicators for non-compliance. Such a tipping point was 
gradually reached for DV certificates in support of integrity and 
confidentiality (the padlock). But suggestions on how to achieve a 
similarly widespread use of EV certificates in support of identity 
verification have been missing. Therefore, I have addressed this issue 
in a discussion paper, available here:

https://www.bedreid.dk/identity-and-trust-beyond-ev-certificates

The paper is deliberately kept as non-technical as possible in order to 
focus the initial debate on the principles rather than specific 
technical details.

TL;DR: The proposal evolves around a new new feature offered by an 
increasing number of business registries, mainly in Northern Europe: 
allowing entities to register a digital end-point (URL) directly as part 
of their registration record. This allows automation of the relation 
between the legal entity and the online resource rather than the current 
troublesome need to investigate this connection via 
officers/employees/lawyers. It also means that the verification of 
mutually matching claims between the legal entity and the registrant can 
take place client side when needed in near real-time.

The proposal has some elements in common with initiatives that have been 
proposed in this forum lately, such as developing a list of accepted 
registries for registration of legal entities, and the question raised 
in relation to QWAC certificates regarding non-TLS delivery mechanisms 
for other claims.

However, the proposal goes quite a bit further in regarding the basic 
identity not as an end goal in itself (as with current EV certificates), 
but rather as a placeholder to gather additional trust related claims 
about the business entity. We refer to that as OpenDiscovery.

Some while ago Peercraft made a very basic OpenDiscovery PoC using the 
Danish business registry:
https://www.opendiscovery.biz/

With more business registries now supporting URL registration, Peercraft 
plans to improve and further develop this PoC into a generally useful 
set of open source components allowing business entities to exhibit self 
asserted as well as third party verified claims about themselves. To 
make the solution more widely applicable, EV CT-logs could be used to 
facilitate a fallback solution offering businesses in other 
jurisdictions similar OpenDiscovery advantages.

I would like to gauge the potential interest among CA/Browser Forum 
members (CA as well as browser perspective) in such a development and 
would welcome any suggestions and concerns in relation to the paper as 
well as possible input to the suggested functionality.

Specifically, it would be interesting to know if the CA/Browser Forum 
could envision specifying an automated EV issuance procedure, possibly 
as an extension to the ACME protocol that could be used when issuing 
certificates to entities registered with URL supporting business 
registries on the accepted CA/Browser Forum list.

Best,
Henrik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200508/01b7cbd5/attachment.html>