[cabfpub] Ballot 113 - Revision to QIIS in EV Guidelines

Thibault de Valroger thibault.de.valroger at opentrust.com
Wed Jan 8 19:25:19 UTC 2014


OPENTRUST votes YES

(OPENTRUST was formerly named KEYNECTIS)

Envoyé depuis mon blackberry.

  _____

De : public-bounces at cabforum.org <public-bounces at cabforum.org>
À : public at cabforum.org <public at cabforum.org>
Envoyé : Wed Jan 08 20:17:06 2014
Objet : Re: [cabfpub] Ballot 113 - Revision to QIIS in EV Guidelines



DigiCert votes “YES”



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On 
Behalf Of Ben Wilson
Sent: Monday, December 30, 2013 4:47 PM
To: public at cabforum.org
Subject: [cabfpub] Ballot 113 - Revision to QIIS in EV Guidelines



Ballot 113 - Revision to QIIS in EV Guidelines



The following proposal comes from EV working group.    Jeremy Rowley made 
the following motion, and Rich Smith and Kirk Hall have endorsed it.



This ballot proposes a replacement to Section 11.10.5 of the Extended 
Validation Guidelines, which defines the qualifications of a QIIS.  The 
previous QIIS definition did not accurately capture current CA practices. In 
fact, a strict reading of the existing definition might imply that CAs were 
prohibited from using Dun & Bradstreet, Hoovers, and other commercially 
reliable sources generally regarded as accurate sources of information.  The 
proposed definition consolidates confusing and overlapping requirements 
while clarifying the QIIS verification requirements for CAs.  The new 
definition permits CAs to use databases of information if the CA has 
documented its process to verify the data’s accuracy and the CA knows the 
information is not self-reported.



--- Motion begins ---



Effective immediately:



Replace Section 11.10.5 in the EV Guidelines:



11.10.5  Qualified Independent Information Source



A Qualified Independent Information Source (QIIS) is a regularly-updated and 
current, publicly available, database designed for the purpose of accurately 
providing the information for which it is consulted, and which is generally 
recognized as a dependable source of such information.  A commercial 
database is a QIIS if the following are true:

(1)          Industry groups rely on the database for providing accurate 
location or contact information;

(2)          The database distinguishes between self-reported data and data 
reported by independent information sources;

(3)          The database provider identifies how frequently they update the 
information in their database;

(4)          Changes in the data that will be relied upon will be reflected 
in the database in no more than 12 months; and

(5)          The database provider uses authoritative sources independent of 
the Subject, or multiple corroborated sources, to which the data pertains.

Databases in which the CA or its owners or affiliated companies maintain a 
controlling interest, or in which any Registration Authorities or 
subcontractors to whom the CA has outsourced any portion of the vetting 
process (or their owners or affiliated companies) maintain any ownership or 
beneficial interest do not qualify as a QIIS.  The CA MUST check the 
accuracy of the database and ensure its data is acceptable.



With the following proposed language for Section 11.10.5:



11.10.5 Qualified Independent Information Source



A Qualified Independent Information Source (QIIS) is a regularly updated and 
publicly available database that is generally recognized as a dependable and 
accurate source for certain information.

A database qualifies as a QIIS if the CA determines that:

(1) Industries other than the certificate industry rely on the database for 
accurate location, contact, or other information; and

(2) The database provider updates its data on at least an annual basis.

The CA SHALL use a documented process to check the accuracy of the database 
and ensure its data is acceptable, including reviewing the database provider’s 
terms of use.

The CA SHALL NOT use any data in a QIIS that the CA knows is (i) 
self-reported and (ii) not verified by the QIIS as accurate.

Databases in which the CA or its owners or affiliated companies maintain a 
controlling interest, or in which any Registration Authorities or 
subcontractors to whom the CA has outsourced any portion of the vetting 
process (or their owners or affiliated companies) maintain any ownership or 
beneficial interest, do not qualify as a QIIS.



--- Motion ends ---



The review period for this ballot shall commence immediately at 2300 UTC on 
30 December 2013 and will close on 6 January 2014.

Unless the motion is withdrawn during the review period, the voting period 
will start immediately thereafter and will close at 2300 UTC on 13 January 
2014.

Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the ballot must indicate a clear ‘yes’ in the response.

A vote against the ballot must indicate a clear ‘no’ in the response.

A vote to abstain must indicate a clear ‘abstain’ in the response.

Unclear responses will not be counted.

The latest vote received from any representative of a voting member before 
the close of the voting period will be counted.

Voting members are listed here: https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes cast 
by members in the CA category and more than one half of the votes cast by 
members in the browser category must be in favor.

Quorum is currently six (6) members– at least six members must participate 
in the ballot, either by voting in favor, voting against, or by abstaining 
for the vote to be valid.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140108/d193ac5e/attachment-0003.html>


More information about the Public mailing list