[cabf_validation] Change to EV 9.2.7
Kirk Hall
Kirk.Hall at entrustdatacard.com
Sat Mar 4 19:14:55 MST 2017
Hmmm... I would not want to limit certificate Applicants to only one "official" place of business. I think it should be any physical location where the CA can prove the Applicant maintains an official place of business.
For example, my previous company Trend Micro had major offices in Cupertino, CA, Irving, TX, and Tokyo. All three could be confirmed in D&B/Hoover's. In North America, the "headquarters" was Texas, but Japan was the official "headquarters". However, the US company was a California corporation that listed its Cupertino CA address - but that was not "headquarters". I think in some jurisdictions (like the UK - Companies House), the "official registered office" address in the government record is NOT a physical location of any company office, but the location of its Registered Agent (maybe a law firm).
If you look at a QIIS like Hoover's, for some businesses you may see 20 or 100 confirmed business location addresses listed. Sometimes one is designated "Headquarters", but it may be a small office in a tax jurisdiction, etc., and/or the IT department may all be located at a different confirmed physical location the customer wants.
So I think we should only require a CA to confirm physical location of "an" office of the Applicant (using a QIIS or QGIS), as there may not be "the" office. And I would not require CAs to use the address listed in the government registry, as it may not reflect any physical location where the Applicant does business.
As I recall, this part of the EVGL (at least) was intended to help people have *some* physical address where they could find the actual business, not agents, etc. We did separately require the CA to also record the Registered Agent information as found in the government record.
So I would recommend we change "the" to "a" in EVG: 9.2.7 the next time we do a general cleanup ballot. Or change to read " the physical location one of the Subject's Places of Business
9.2.7. Subject Physical Address of Place of Business Field
Certificate fields:
Number and street: subject:streetAddress (OID: 2.5.4.9)
City or town:subject:localityName (OID: 2.5.4.7)
State or province (where applicable): subject:stateOrProvinceName (OID: 2.5.4.8)
Country: subject:countryName (OID: 2.5.4.6)
Postal code: subject:postalCode (OID: 2.5.4.17)
Required/Optional: City, state, and country - Required; Street and postal code - Optional
Contents: This field MUST contain the address of the physical location of the Subject's Place of Business.
-----Original Message-----
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Adriano Santoni via Validation
Sent: Thursday, March 2, 2017 11:44 PM
To: validation at cabforum.org
Cc: Adriano Santoni <adriano.santoni at staff.aruba.it>
Subject: Re: [cabf_validation] Change to EV 9.2.7
+1
Il 02/03/2017 20:28, Mark B. Cooper via Validation ha scritto:
>
> I suspect defining the place of business as being the legally
> registered location of the business would be a more accurate and
> descriptive term. This would be easier to verify in D&B records as
> well as other sources. "a place" of business is going to be much
> harder for issuers to verify as a business may have many locations
> that aren't necessarily registered with entities.
>
> -Mark
>
> *Mark B. Cooper*
>
> President & Founder
>
> PKI Solutions Inc.
>
> www.pkisolutions.com<http://www.pkisolutions.com>
>
> Telephone: +1 971 231 5523
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
> Of *Rick Andrews via Validation
> *Sent:* Wednesday, March 1, 2017 3:48 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
> *Cc:* Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
> *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>
> Jeremy,
>
> "This field MUST contain the address of the physical location of the
> Subject's Place of Business." What does "the" mean here? Many
> businesses have multiple physical locations. Should it be "a" instead?
> Should we clarify that it doesn't have to be the physical location of
> the server(s) hosting the certificate?
>
> -Rick
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
> Of *Jeremy Rowley via Validation
> *Sent:* Wednesday, February 22, 2017 11:30 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
> <mailto:validation at cabforum.org>>
> *Cc:* Jeremy Rowley <jeremy.rowley at digicert.com
> <mailto:jeremy.rowley at digicert.com>>
> *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>
> I've created this as ballot 191. Do we have a second endorser?
>
> Ballot 191 - Clarify Place of Business Information Field Inclusion
>
> The current EV Guidelines are not clear on what address information is
> required in a certificate. This ballot clarifies the requirements.
>
> --Motion Begins--
>
> A. Modify Section 9.2.7 as follows:
>
> '''9.2.7. Subject Physical Address of Place of Business Field'''
>
> Certificate fields:
>
> Number and street: subject:streetAddress (OID: 2.5.4.9)
>
> City or town: subject:localityName (OID: 2.5.4.7)
>
> State or province (where applicable): subject:stateOrProvinceName
> (OID: 2.5.4.8)
>
> Country: subject:countryName (OID: 2.5.4.6)
>
> Postal code: subject:postalCode (OID: 2.5.4.17)
>
> Required/Optional: --(City, state, and country - Required; Street and
> postal code - Optional)-- __As stated in Section 7.1.4.2.2 d, e, f, g
> and h of the Baseline Requirements__
>
> Contents: This field MUST contain the address of the physical location
> of the Subject's Place of Business.
>
> --Motion Ends--
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
> Of *Bruce Morton via Validation
> *Sent:* Wednesday, January 25, 2017 12:51 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
> <mailto:validation at cabforum.org>>
> *Cc:* Bruce Morton <Bruce.Morton at entrustdatacard.com
> <mailto:Bruce.Morton at entrustdatacard.com>>
> *Subject:* [cabf_validation] Change to EV 9.2.7
>
> To deal with the Require/Optional requirement or the Place of
> Business, I propose a simple change which will make the EV Guidelines
> consistent with the Baseline Requirements.
>
> The EV Guidelines currently state:
>
> *9.2.7. Subject Physical Address of Place of Business Field*
>
> *Certificate fields:*
>
> Number and street: subject:streetAddress (OID: 2.5.4.9)
>
> City or town: subject:localityName (OID: 2.5.4.7)
>
> State or province (where applicable): subject:stateOrProvinceName
> (OID: 2.5.4.8)
>
> Country: subject:countryName (OID: 2.5.4.6)
>
> Postal code: subject:postalCode (OID: 2.5.4.17)
>
> *Required/Optional:* City, state, and country - Required; Street and
> postal code - Optional
>
> *Contents:* This field MUST contain the address of the physical
> location of the Subject's Place of Business.
>
> To address the Required/Optional issue, I propose the following change.
>
> *9.2.7. Subject Physical Address of Place of Business Field*
>
> *Certificate fields:*
>
> Number and street: subject:streetAddress (OID: 2.5.4.9)
>
> City or town: subject:localityName (OID: 2.5.4.7)
>
> State or province (where applicable): subject:stateOrProvinceName
> (OID: 2.5.4.8)
>
> Country: subject:countryName (OID: 2.5.4.6)
>
> Postal code: subject:postalCode (OID: 2.5.4.17)
>
> *Required/Optional:* As stated in Section 7.1.4.2.2 d, e, f, g and h
> of the Baseline Requirements
>
> *Contents:* This field MUST contain the address of the physical
> location of the Subject's Place of Business.
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org<mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation
--
Cordiali saluti,
Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170305/57bce1c0/attachment-0001.html>
More information about the Validation
mailing list