[cabfpub] Ballot 113 - Revision to QIIS in EV Guidelines

Gervase Markham gerv at mozilla.org
Thu Jan 9 15:51:38 UTC 2014 

On 08/01/14 19:17, Jeremy Rowley wrote:
> Just as a reminder – the voting for this ends Monday. Be sure to vote.

Mozilla votes YES, on the basis that this change seems not to have a
notable effect on the strength of EV validation. But if anyone reading
the list has reason to believe the contrary, please let us know.

Gerv

> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Ben Wilson
> *Sent:* Monday, December 30, 2013 4:47 PM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] Ballot 113 - Revision to QIIS in EV Guidelines
> 
>  
> 
> Ballot 113 - Revision to QIIS in EV Guidelines
> 
>  
> 
> The following proposal comes from EV working group.    Jeremy Rowley
> made the following motion, and Rich Smith and Kirk Hall have endorsed it. 
> 
>  
> 
> This ballot proposes a replacement to Section 11.10.5 of the Extended
> Validation Guidelines, which defines the qualifications of a QIIS.  The
> previous QIIS definition did not accurately capture current CA
> practices. In fact, a strict reading of the existing definition might
> imply that CAs were prohibited from using Dun & Bradstreet, Hoovers, and
> other commercially reliable sources generally regarded as accurate
> sources of information.  The proposed definition consolidates confusing
> and overlapping requirements while clarifying the QIIS verification
> requirements for CAs.  The new definition permits CAs to use databases
> of information if the CA has documented its process to verify the data’s
> accuracy and the CA knows the information is not self-reported. 
> 
>  
> 
> --- Motion begins ---
> 
>  
> 
> Effective immediately:
> 
>  
> 
> Replace Section 11.10.5 in the EV Guidelines:
> 
>  
> 
> 11.10.5  Qualified Independent Information Source
> 
>  
> 
> A Qualified Independent Information Source (QIIS) is a regularly-updated
> and current, publicly available, database designed for the purpose of
> accurately providing the information for which it is consulted, and
> which is generally recognized as a dependable source of such
> information.  A commercial database is a QIIS if the following are true:
> 
> (1)          Industry groups rely on the database for providing accurate
> location or contact information;
> 
> (2)          The database distinguishes between self-reported data and
> data reported by independent information sources;
> 
> (3)          The database provider identifies how frequently they update
> the information in their database;
> 
> (4)          Changes in the data that will be relied upon will be
> reflected in the database in no more than 12 months; and
> 
> (5)          The database provider uses authoritative sources
> independent of the Subject, or multiple corroborated sources, to which
> the data pertains.
> 
> Databases in which the CA or its owners or affiliated companies maintain
> a controlling interest, or in which any Registration Authorities or
> subcontractors to whom the CA has outsourced any portion of the vetting
> process (or their owners or affiliated companies) maintain any ownership
> or beneficial interest do not qualify as a QIIS.  The CA MUST check the
> accuracy of the database and ensure its data is acceptable.
> 
>  
> 
> With the following proposed language for Section 11.10.5:
> 
>  
> 
> 11.10.5 Qualified Independent Information Source
> 
>  
> 
> A Qualified Independent Information Source (QIIS) is a regularly updated
> and publicly available database that is generally recognized as a
> dependable and accurate source for certain information.
> 
> A database qualifies as a QIIS if the CA determines that:
> 
> (1) Industries other than the certificate industry rely on the database
> for accurate location, contact, or other information; and
> 
> (2) The database provider updates its data on at least an annual basis.
> 
> The CA SHALL use a documented process to check the accuracy of the
> database and ensure its data is acceptable, including reviewing the
> database provider’s terms of use. 
> 
> The CA SHALL NOT use any data in a QIIS that the CA knows is (i)
> self-reported and (ii) not verified by the QIIS as accurate. 
> 
> Databases in which the CA or its owners or affiliated companies maintain
> a controlling interest, or in which any Registration Authorities or
> subcontractors to whom the CA has outsourced any portion of the vetting
> process (or their owners or affiliated companies) maintain any ownership
> or beneficial interest, do not qualify as a QIIS.
> 
>  
> 
> --- Motion ends ---
> 
>  
> 
> The review period for this ballot shall commence immediately at 2300 UTC
> on 30 December 2013 and will close on 6 January 2014.
> 
> Unless the motion is withdrawn during the review period, the voting
> period will start immediately thereafter and will close at 2300 UTC on
> 13 January 2014.
> 
> Votes must be cast by posting an on-list reply to this thread.
> 
> A vote in favor of the ballot must indicate a clear ‘yes’ in the response.
> 
> A vote against the ballot must indicate a clear ‘no’ in the response.
> 
> A vote to abstain must indicate a clear ‘abstain’ in the response.
> 
> Unclear responses will not be counted.
> 
> The latest vote received from any representative of a voting member
> before the close of the voting period will be counted.
> 
> Voting members are listed here: https://cabforum.org/members/
> 
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and more than one half of the votes
> cast by members in the browser category must be in favor.
> 
> Quorum is currently six (6) members– at least six members must
> participate in the ballot, either by voting in favor, voting against, or
> by abstaining for the vote to be valid.
> 
>  
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

More information about the Public mailing list