[cabfpub] Ballot 113 - Revision to QIIS in EV Guidelines

y-iida at secom.co.jp y-iida at secom.co.jp
Fri Jan 10 05:10:27 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECOM Trust Systems votes "yes".
- --
  iida

>Just as a reminder - the voting for this ends Monday. Be sure to vote.
> 
>
>From: public-bounces at cabforum.org
> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
>Sent: Monday, December 30, 2013 4:47 PM
>To: public at cabforum.org
>Subject: [cabfpub] Ballot 113 - Revision to QIIS in EV
> Guidelines
> 
>
>Ballot 113 - Revision to QIIS in EV Guidelines 
>
>
>The following proposal comes from EV working group.  Jeremy
>Rowley made the following motion, and Rich Smith and Kirk Hall
>have endorsed it.
> 
>
>This ballot proposes a replacement to Section 11.10.5 of the
>Extended Validation Guidelines, which defines the
>qualifications of a QIIS.  The previous QIIS definition did not
>accurately capture current CA practices. In fact, a strict
>reading of the existing definition might imply that CAs were
>prohibited from using Dun & Bradstreet, Hoovers, and other
>commercially reliable sources generally regarded as accurate
>sources of information.  The proposed definition consolidates
>confusing and overlapping requirements while clarifying the
>QIIS verification requirements for CAs.  The new definition
>permits CAs to use databases of information if the CA has
>documented its process to verify the data's accuracy and the CA
>knows the information is not self-reported.
> 
>
>--- Motion begins ---
>Effective immediately:
>Replace Section 11.10.5 in the EV Guidelines:
> 
>
>11.10.5 Qualified Independent Information Source
>
>A Qualified Independent Information Source (QIIS) is a
>regularly-updated and current, publicly available, database
>designed for the purpose of accurately providing the
>information for which it is consulted, and which is generally
>recognized as a dependable source of such information.  A
>commercial database is a QIIS if the following are true:
>
>(1) Industry groups rely on the database for providing accurate
>location or contact information;
>
>(2) The database distinguishes between self-reported data and
>data reported by independent information sources;
>
>(3) The database provider identifies how frequently they update
>the information in their database;
>
>(4) Changes in the data that will be relied upon will be
>reflected in the database in no more than 12 months; and
>
>(5) The database provider uses authoritative sources
>independent of the Subject, or multiple corroborated sources,
>to which the data pertains.
>
>Databases in which the CA or its owners or affiliated companies
>maintain a controlling interest, or in which any Registration
>Authorities or subcontractors to whom the CA has outsourced any
>portion of the vetting process (or their owners or affiliated
>companies) maintain any ownership or beneficial interest do not
>qualify as a QIIS.  The CA MUST check the accuracy of the
>database and ensure its data is acceptable.
>
> 
>
>With the following proposed language for Section 11.10.5:
>
> 
>
>11.10.5 Qualified Independent Information Source
>
>A Qualified Independent Information Source (QIIS) is a
>regularly updated and publicly available database that is
>generally recognized as a dependable and accurate source for
>certain information.
>
>A database qualifies as a QIIS if the CA determines that:
>
>(1) Industries other than the certificate industry rely on the
>database for accurate location, contact, or other information;
>and
>
>(2) The database provider updates its data on at least an
>annual basis.
>
>The CA SHALL use a documented process to check the accuracy of
>the database and ensure its data is acceptable, including
>reviewing the database provider's terms of use.
>
>The CA SHALL NOT use any data in a QIIS that the CA knows is
>(i) self-reported and (ii) not verified by the QIIS as
>accurate.
>
>Databases in which the CA or its owners or affiliated companies
>maintain a controlling interest, or in which any Registration
>Authorities or subcontractors to whom the CA has outsourced any
>portion of the vetting process (or their owners or affiliated
>companies) maintain any ownership or beneficial interest, do
>not qualify as a QIIS.
>--- Motion ends ---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFSz4CPYYPdCnCyRyoRAmfgAJ0ZAFhffA9f4NSuHhiT27HApKhJaQCdFYCw
xe/j9pSDpgw53L9mrNsN+xM=
=KUup
-----END PGP SIGNATURE-----

More information about the Public mailing list