[cabf_validation] Change to EV 9.2.7

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Mar 6 06:14:01 MST 2017


... and further to my previous remarks on EV certificates, I still 
believe that the BRs should be improved in the section describing 
requirements on address validation:

<<3.2.2.1. Identity
If the Subject Identity Information is to include the name or address of 
an organization, the CA SHALL verify
the identity and address of the organization and that the address is the 
Applicant’s address of existence or
operation.>>

Taken at face value, this sentence implies that either one address ("the 
... address of existence") or the other ("[address of] ... operation") 
can be inserted in an OV certificate, tertium non datur.

First issue, "address of existance" has no obvious meaning and neither 
is it defined in the BRs. So I would either define it, or replace it it 
with a more common locution (e.g. official / legal address).
Second issue, I would remove that definite article "the" and use plurals 
-- if this is what we (CAs and browsers) actually mean .

How about rephrasing this sentence like follow:

<<3.2.2.1. Identity
If the Subject Identity Information is to include the name or address of 
an organization, the CA SHALL verify
the identity and address of the organization and that the address either 
is one of the Applicant’s legal addressses or one of
the Applicant’s business addresses (i.e. a location where the Applicant 
runs its business from).>>

I am sure the language can be improved, but I think you grasp what I 
mean....

Adriano




Il 06/03/2017 12:23, Adriano Santoni via Validation ha scritto:
>
> Kirk, what you propose seems reasonable from a practical point of 
> view, and I guess it's the more common interpretation among CAs, but 
> it inevitably leads to the possibility that several certificates 
> issued to the same organization have different addresses in them. If 
> nothing else, this is ugly to me. If the address of an organization is 
> part of its identity (and I would say it is), then I do not expect 
> that address to vary among several certificates issued to the same 
> organization. At least, not in EV certificates.
>
> Adriano
>
>
> Il 05/03/2017 03:14, Kirk Hall ha scritto:
>>
>> Hmmm...  I would not want to limit certificate Applicants to only one 
>> "official" place of business.  I think it should be any physical 
>> location where the CA can prove the Applicant maintains an official 
>> place of business.
>>
>> For example, my previous company Trend Micro had major offices in 
>> Cupertino, CA, Irving, TX, and Tokyo.  All three could be confirmed 
>> in D&B/Hoover's. In North America, the "headquarters" was Texas, but 
>> Japan was the official "headquarters".  However, the US company was a 
>> California corporation that listed its Cupertino CA address - but 
>> that was not "headquarters".  I think in some jurisdictions (like the 
>> UK - Companies House), the "official registered office" address in 
>> the government record is NOT a physical location of any company 
>> office, but  the location of its Registered Agent (maybe a law firm).
>>
>> If you look at a QIIS like Hoover’s, for some businesses you may see 
>> 20 or 100 confirmed business location addresses listed.  Sometimes 
>> one is designated “Headquarters”, but it may be a small office in a 
>> tax jurisdiction, etc., and/or the IT department may all be located 
>> at a different confirmed physical location the customer wants.
>>
>> So I think we should only require a CA to confirm physical location 
>> of "an" office of the Applicant (using a QIIS or QGIS), as there may 
>> not be "the" office. And I would not require CAs to use the address 
>> listed in the government registry, as it may not reflect any physical 
>> location where the Applicant does business.
>>
>> As I recall, this part of the EVGL (at least) was intended to help 
>> people have *some* physical address where they could find the actual 
>> business, not agents, etc.  We did separately require the CA to also 
>> record the Registered Agent information as found in the government 
>> record.
>>
>> So I would recommend we change "the" to "a" in EVG: 9.2.7 the next 
>> time we do a general cleanup ballot.  Or change to read " the 
>> physical location *one*of the Subject’s Places of Business
>>
>> 9.2.7. Subject Physical Address of Place of Business Field
>>
>> Certificate fields:
>>
>> Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> City or town:subject:localityName (OID: 2.5.4.7)
>>
>> State or province (where applicable): subject:stateOrProvinceName 
>> (OID: 2.5.4.8)
>>
>> Country: subject:countryName (OID: 2.5.4.6)
>>
>> Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> Required/Optional: City, state, and country – Required; Street and 
>> postal code – Optional
>>
>> Contents: This field MUST contain the address of the physical 
>> location of the Subject’s Place of Business.
>>
>> -----Original Message-----
>> From: Validation [mailto:validation-bounces at cabforum.org] On Behalf 
>> Of Adriano Santoni via Validation
>> Sent: Thursday, March 2, 2017 11:44 PM
>> To: validation at cabforum.org
>> Cc: Adriano Santoni <adriano.santoni at staff.aruba.it>
>> Subject: Re: [cabf_validation] Change to EV 9.2.7
>>
>> +1
>>
>> Il 02/03/2017 20:28, Mark B. Cooper via Validation ha scritto:
>>
>> >
>>
>> > I suspect defining the place of business as being the legally
>>
>> > registered location of the business would be a more accurate and
>>
>> > descriptive term. This would be easier to verify in D&B records as
>>
>> > well as other sources. “a place” of business is going to be much
>>
>> > harder for issuers to verify as a business may have many locations
>>
>> > that aren’t necessarily registered with entities.
>>
>> >
>>
>> > -Mark
>>
>> >
>>
>> > *Mark B. Cooper*
>>
>> >
>>
>> > President & Founder
>>
>> >
>>
>> > PKI Solutions Inc.
>>
>> >
>>
>> > www.pkisolutions.com <http://www.pkisolutions.com>
>>
>> >
>>
>> > Telephone: +1 971 231 5523
>>
>> >
>>
>> > *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
>>
>> > Of *Rick Andrews via Validation
>>
>> > *Sent:* Wednesday, March 1, 2017 3:48 PM
>>
>> > *To:* CA/Browser Forum Validation WG List <validation at cabforum.org 
>> <mailto:validation at cabforum.org>>
>>
>> > *Cc:* Rick Andrews <Rick_Andrews at symantec.com 
>> <mailto:Rick_Andrews at symantec.com>>
>>
>> > *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>>
>> >
>>
>> > Jeremy,
>>
>> >
>>
>> > “This field MUST contain the address of the physical location of the
>>
>> > Subject’s Place of Business.” What does “the” mean here? Many
>>
>> > businesses have multiple physical locations. Should it be “a” instead?
>>
>> > Should we clarify that it doesn’t have to be the physical location of
>>
>> > the server(s) hosting the certificate?
>>
>> >
>>
>> > -Rick
>>
>> >
>>
>> > *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
>>
>> > Of *Jeremy Rowley via Validation
>>
>> > *Sent:* Wednesday, February 22, 2017 11:30 PM
>>
>> > *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
>>
>> > <mailto:validation at cabforum.org>>
>>
>> > *Cc:* Jeremy Rowley <jeremy.rowley at digicert.com
>>
>> > <mailto:jeremy.rowley at digicert.com>>
>>
>> > *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>>
>> >
>>
>> > I’ve created this as ballot 191. Do we have a second endorser?
>>
>> >
>>
>> > Ballot 191 - Clarify Place of Business Information Field Inclusion
>>
>> >
>>
>> > The current EV Guidelines are not clear on what address information is
>>
>> > required in a certificate. This ballot clarifies the requirements.
>>
>> >
>>
>> > --Motion Begins--
>>
>> >
>>
>> > A. Modify Section 9.2.7 as follows:
>>
>> >
>>
>> > '''9.2.7. Subject Physical Address of Place of Business Field'''
>>
>> >
>>
>> > Certificate fields:
>>
>> >
>>
>> > Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> >
>>
>> > City or town: subject:localityName (OID: 2.5.4.7)
>>
>> >
>>
>> > State or province (where applicable): subject:stateOrProvinceName
>>
>> > (OID: 2.5.4.8)
>>
>> >
>>
>> > Country: subject:countryName (OID: 2.5.4.6)
>>
>> >
>>
>> > Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> >
>>
>> > Required/Optional: --(City, state, and country – Required; Street and
>>
>> > postal code – Optional)-- __As stated in Section 7.1.4.2.2 d, e, f, g
>>
>> > and h of the Baseline Requirements__
>>
>> >
>>
>> > Contents: This field MUST contain the address of the physical location
>>
>> > of the Subject’s Place of Business.
>>
>> >
>>
>> > --Motion Ends--
>>
>> >
>>
>> > *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
>>
>> > Of *Bruce Morton via Validation
>>
>> > *Sent:* Wednesday, January 25, 2017 12:51 PM
>>
>> > *To:* CA/Browser Forum Validation WG List <validation at cabforum.org
>>
>> > <mailto:validation at cabforum.org>>
>>
>> > *Cc:* Bruce Morton <Bruce.Morton at entrustdatacard.com
>>
>> > <mailto:Bruce.Morton at entrustdatacard.com>>
>>
>> > *Subject:* [cabf_validation] Change to EV 9.2.7
>>
>> >
>>
>> > To deal with the Require/Optional requirement or the Place of
>>
>> > Business, I propose a simple change which will make the EV Guidelines
>>
>> > consistent with the Baseline Requirements.
>>
>> >
>>
>> > The EV Guidelines currently state:
>>
>> >
>>
>> > *9.2.7. Subject Physical Address of Place of Business Field*
>>
>> >
>>
>> > *Certificate fields:*
>>
>> >
>>
>> > Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> >
>>
>> > City or town: subject:localityName (OID: 2.5.4.7)
>>
>> >
>>
>> > State or province (where applicable): subject:stateOrProvinceName
>>
>> > (OID: 2.5.4.8)
>>
>> >
>>
>> > Country: subject:countryName (OID: 2.5.4.6)
>>
>> >
>>
>> > Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> >
>>
>> > *Required/Optional:* City, state, and country – Required; Street and
>>
>> > postal code – Optional
>>
>> >
>>
>> > *Contents:* This field MUST contain the address of the physical
>>
>> > location of the Subject’s Place of Business.
>>
>> >
>>
>> > To address the Required/Optional issue, I propose the following change.
>>
>> >
>>
>> > *9.2.7. Subject Physical Address of Place of Business Field*
>>
>> >
>>
>> > *Certificate fields:*
>>
>> >
>>
>> > Number and street: subject:streetAddress (OID: 2.5.4.9)
>>
>> >
>>
>> > City or town: subject:localityName (OID: 2.5.4.7)
>>
>> >
>>
>> > State or province (where applicable): subject:stateOrProvinceName
>>
>> > (OID: 2.5.4.8)
>>
>> >
>>
>> > Country: subject:countryName (OID: 2.5.4.6)
>>
>> >
>>
>> > Postal code: subject:postalCode (OID: 2.5.4.17)
>>
>> >
>>
>> > *Required/Optional:* As stated in Section 7.1.4.2.2 d, e, f, g and h
>>
>> > of the Baseline Requirements
>>
>> >
>>
>> > *Contents:* This field MUST contain the address of the physical
>>
>> > location of the Subject’s Place of Business.
>>
>> >
>>
>> >
>>
>> >
>>
>> > _______________________________________________
>>
>> > Validation mailing list
>>
>> > Validation at cabforum.org <mailto:Validation at cabforum.org>
>>
>> > https://cabforum.org/mailman/listinfo/validation
>>
>> -- 
>>
>> Cordiali saluti,
>>
>> Adriano Santoni
>>
>> ACTALIS S.p.A.
>>
>> (Aruba Group)
>>
>
> -- 
>
> Cordiali saluti,
>
> Adriano Santoni
> ACTALIS S.p.A.
> (Aruba Group)
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation

-- 

Cordiali saluti,

Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/validation/attachments/20170306/0bc2e388/attachment.bin>


More information about the Validation mailing list