[cabf_validation] Change to EV 9.2.7

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Mar 8 13:20:41 MST 2017


No, I understand..  I was just trying to say that you, Dimitris, and Peter have captured some good points that should probably go into a future ballot – can you make a recommendation to the Validation Working Group?

From: Adriano Santoni [mailto:adriano.santoni at staff.aruba.it]
Sent: Wednesday, March 8, 2017 7:08 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>; Dimitris Zacharopoulos <jimmy at it.auth.gr>
Subject: Re: [cabf_validation] Change to EV 9.2.7


Of course I agree to involve the VWG; I did not mean to try and solve this issues among the three of us :)
I am hereby submitting this proposal to the VWG:

  *   re-think and clarify the meaning of the organizations' address in OV and EV certficates; what is the intended meaning? consequently, what kind of addresses should be allowed (address of incorporation, address registered at the local chamber of commerce, any of N addresses of operations, etc.) ?
  *   clarify if "virtual addresses" (e.g. address of a law firm, PO boxes etc.) are allowed or not (hopefully not)
  *   clarify if it is OK for several certificates issued to the same organization to carry different addresses, possibly distinguishing between OV vs. EV class
  *   definine "address of existence" or preferably get rid of such a weird locution
  *   mandate streetAddress at least in EV certs

Adriano



Il 08/03/2017 02:02, Kirk Hall ha scritto:
Some responses.

First, I agree with your sentiments.

Second – I’m just hung up on making a CA try to decide which is a company’s “main” office.  My current company, Entrust Datacard, has its SSL operations in Ottawa (for 15 years), but its top admin people are in Dallas (used to be the CEO there, etc. because he liked the warm weather – he is gone now).  Then Entrust was bought by Datacard (a much bigger corp, makes the passports and credit cards worldwide that we are all carrying), and it’s located in Minneapolis.  If anything, that is corporate “headquarters” but does not do any SSL work.

I haven’t looked, but Hoover’s might show the Minneapolis company as headquarters, but there are hundreds of employees in Ottawa and Dallas also, and those offices are fully covered on their own in Hoovers.  So – why not give an EV cert that lists Ottawa, ON, CA and Dallas, TX, US?  You (as a user) can sure find the physical location there.

Third – you raise a good point – why don’t we also include the street address in an EV cert?  (Are we afraid crazy people will go there to complain?)

Let’s consider forwarding some recommendations to the Validation Working Group on this as a new project – what should be in the data fields, and making sure BRs and EVGL are coordinated.

From: Adriano Santoni [mailto:adriano.santoni at staff.aruba.it]
Sent: Monday, March 6, 2017 11:44 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com><mailto:Kirk.Hall at entrustdatacard.com>; Peter Bowen <pzb at amzn.com><mailto:pzb at amzn.com>
Cc: Dimitris Zacharopoulos <jimmy at it.auth.gr><mailto:jimmy at it.auth.gr>
Subject: Re: [cabf_validation] Change to EV 9.2.7


Kirk, I was not really suggesting to include either the registered address or a physical address in an EV certificate. The point is, what is the purpose of the address in an EV certificate? What information do we want it to provide? In my opinion, the address is an integral part of the subscriber identity, and identity is of paramount importance in an EV certificate (not to say that it's not important in OV certs). It should be a physical address where the subscriber has its "main" office, that is the main place where the company runs its business from, and it must be a sufficiently precise address. As a relying party, I want to be able to go there and see a plate with the company name at that address. So, in addition to the countryName, it must at least contain a localityName. IMO it must always include streetAddress (is it ever possible that a company does not have a street adddress? I suppose not). StateOrProvince should be at least recommended, if not mandatory, because it's not altogether impossible that two localities with the same name exists in different states (I can provide several examples both in EU and in US).
If a company is not willing to provide a physical address, but only a virtual address (e.g. the address of a law firm), or a different type of address which is not usable for locating the company at some specific physical place, I do not think we should issue an EV cert to them.

Adriano
Il 07/03/2017 00:19, Kirk Hall ha scritto:
Understood, and not the best.   Adriano was (maybe) suggesting we could use “Registered Office” address instead of physical location address if desired, which at least would help you find the Registered Agent.

Having said that, if you know that Entrust Dogwood Partners LP is registered in Delaware (and the EV cert lists a serial number), it is possible to find whatever is in the Delaware record on location…  But that may just be Registered Agent address, which might be CT Corporation for thousands of companies (can’t remember).

Should we tell Li-Chun the Forum can’t do what he wants?  Does he already know?

From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Monday, March 6, 2017 3:12 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com><mailto:Kirk.Hall at entrustdatacard.com>
Cc: Adriano Santoni <adriano.santoni at staff.aruba.it><mailto:adriano.santoni at staff.aruba.it>; Dimitris Zacharopoulos <jimmy at it.auth.gr><mailto:jimmy at it.auth.gr>
Subject: Re: [cabf_validation] Change to EV 9.2.7

Kirk,

This would not solve Li-Chun’s problem, as he wants to skip the physical location data.  He wants to use the jurisdiction of registration instead of the physical registration.   Following his example we would have tons of certs with C=US, ST=Delaware, O=ENTRUST DOGWOOD PARTNERS LP and similar things.  No clue where to find Entrust Dogwood Partners, just that they are registered in Delaware (like 99% of all other US companies).




Thanks,
Peter

On Mar 6, 2017, at 2:44 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:

Pulling in Peter and Dimitris.

Sorry I wasted time on Li-Chun’s issue – I thought it was a Taiwanese law.

Peter and Dimitris – see my discussion with Adriano below.  Is Li-Chun asking for the ability to use the Taiwan Naming Scheme (not a law) in the EV fields for L, S, and C?  If yes, is the Taiwan Naming Scheme data essentially what we would all the “Registered Office” or “Registered Agent” address for a company (even if the company has no operations at that address – but legal notices can be delivered there, etc.)?

If the answer is yes – this could tie into Adriano’s suggestion that EV 9.2.7 could allow a CA to insert EITHER a physical location OR a registered office address in those fields – and Li-Chun could do what he wants, without making exceptions for Taiwan.

At first I was dubious, but then I remembered – the reason for the EV address fields was so a user could “find” the website owner.  It seems to me that can happen so long as we include either physical location or registered office location.  (We don’t put in street address, which is too bad, but we do include jurisdiction of incorporation and serial number…)

So – would this solve Li-Chun’s problem?  And would you be ok with modifying EV 9.2.7 so the CA can include either location of office or registered office?

From: Adriano Santoni [mailto:adriano.santoni at staff.aruba.it]
Sent: Monday, March 6, 2017 3:24 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: Re: [cabf_validation] Change to EV 9.2.7

Kirk, what you propose seems reasonable from a practical point of view, and I guess it's the more common interpretation among CAs, but it inevitably leads to the possibility that several certificates issued to the same organization have different addresses in them. If nothing else, this is ugly to me. If the address of an organization is part of its identity (and I would say it is), then I do not expect that address to vary among several certificates issued to the same organization. At least, not in EV certificates.
Adriano

Il 05/03/2017 03:14, Kirk Hall ha scritto:
Hmmm...  I would not want to limit certificate Applicants to only one "official" place of business.  I think it should be any physical location where the CA can prove the Applicant maintains an official place of business.

For example, my previous company Trend Micro had major offices in Cupertino, CA, Irving, TX, and Tokyo.  All three could be confirmed in D&B/Hoover's.  In North America, the "headquarters" was Texas, but Japan was the official "headquarters".  However, the US company was a California corporation that listed its Cupertino CA address - but that was not "headquarters".  I think in some jurisdictions (like the UK - Companies House), the "official registered office" address in the government record is NOT a physical location of any company office, but  the location of its Registered Agent (maybe a law firm).

If you look at a QIIS like Hoover’s, for some businesses you may see 20 or 100 confirmed business location addresses listed.  Sometimes one is designated “Headquarters”, but it may be a small office in a tax jurisdiction, etc., and/or the IT department may all be located at a different confirmed physical location the customer wants.

So I think we should only require a CA to confirm physical location of "an" office of the Applicant (using a QIIS or QGIS), as there may not be "the" office.  And I would not require CAs to use the address listed in the government registry, as it may not reflect any physical location where the Applicant does business.

As I recall, this part of the EVGL (at least) was intended to help people have *some* physical address where they could find the actual business, not agents, etc.  We did separately require the CA to also record the Registered Agent information as found in the government record.

So I would recommend we change "the" to "a" in EVG: 9.2.7 the next time we do a general cleanup ballot.  Or change to read " the physical location one of the Subject’s Places of Business

9.2.7. Subject Physical Address of Place of Business Field
Certificate fields:
Number and street: subject:streetAddress (OID: 2.5.4.9)
City or town:subject:localityName (OID: 2.5.4.7)
State or province (where applicable): subject:stateOrProvinceName (OID: 2.5.4.8)
Country: subject:countryName (OID: 2.5.4.6)
Postal code: subject:postalCode (OID: 2.5.4.17)
Required/Optional: City, state, and country – Required; Street and postal code – Optional
Contents: This field MUST contain the address of the physical location of the Subject’s Place of Business.

-----Original Message-----
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Adriano Santoni via Validation
Sent: Thursday, March 2, 2017 11:44 PM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Cc: Adriano Santoni <adriano.santoni at staff.aruba.it><mailto:adriano.santoni at staff.aruba.it>
Subject: Re: [cabf_validation] Change to EV 9.2.7

+1



Il 02/03/2017 20:28, Mark B. Cooper via Validation ha scritto:
>
> I suspect defining the place of business as being the legally
> registered location of the business would be a more accurate and
> descriptive term. This would be easier to verify in D&B records as
> well as other sources. “a place” of business is going to be much
> harder for issuers to verify as a business may have many locations
> that aren’t necessarily registered with entities.
>
> -Mark
>
> *Mark B. Cooper*
>
> President & Founder
>
> PKI Solutions Inc.
>
> www.pkisolutions.com<http://www.pkisolutions.com/>
>
> Telephone: +1 971 231 5523
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
> Of *Rick Andrews via Validation
> *Sent:* Wednesday, March 1, 2017 3:48 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
> *Cc:* Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
> *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>
> Jeremy,
>
> “This field MUST contain the address of the physical location of the
> Subject’s Place of Business.” What does “the” mean here? Many
> businesses have multiple physical locations. Should it be “a” instead?
> Should we clarify that it doesn’t have to be the physical location of
> the server(s) hosting the certificate?
>
> -Rick
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
> Of *Jeremy Rowley via Validation
> *Sent:* Wednesday, February 22, 2017 11:30 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>
> <mailto:validation at cabforum.org>>
> *Cc:* Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>
> <mailto:jeremy.rowley at digicert.com>>
> *Subject:* Re: [cabf_validation] Change to EV 9.2.7
>
> I’ve created this as ballot 191. Do we have a second endorser?
>
> Ballot 191 - Clarify Place of Business Information Field Inclusion
>
> The current EV Guidelines are not clear on what address information is
> required in a certificate. This ballot clarifies the requirements.
>
> --Motion Begins--
>
> A. Modify Section 9.2.7 as follows:
>
> '''9.2.7. Subject Physical Address of Place of Business Field'''
>
> Certificate fields:
>
> Number and street: subject:streetAddress (OID: 2.5.4.9)
>
> City or town: subject:localityName (OID: 2.5.4.7)
>
> State or province (where applicable): subject:stateOrProvinceName
> (OID: 2.5.4.8)
>
> Country: subject:countryName (OID: 2.5.4.6)
>
> Postal code: subject:postalCode (OID: 2.5.4.17)
>
> Required/Optional: --(City, state, and country – Required; Street and
> postal code – Optional)-- __As stated in Section 7.1.4.2.2 d, e, f, g
> and h of the Baseline Requirements__
>
> Contents: This field MUST contain the address of the physical location
> of the Subject’s Place of Business.
>
> --Motion Ends--
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf
> Of *Bruce Morton via Validation
> *Sent:* Wednesday, January 25, 2017 12:51 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>
> <mailto:validation at cabforum.org>>
> *Cc:* Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>
> <mailto:Bruce.Morton at entrustdatacard.com>>
> *Subject:* [cabf_validation] Change to EV 9.2.7
>
> To deal with the Require/Optional requirement or the Place of
> Business, I propose a simple change which will make the EV Guidelines
> consistent with the Baseline Requirements.
>
> The EV Guidelines currently state:
>
> *9.2.7. Subject Physical Address of Place of Business Field*
>
> *Certificate fields:*
>
> Number and street: subject:streetAddress (OID: 2.5.4.9)
>
> City or town: subject:localityName (OID: 2.5.4.7)
>
> State or province (where applicable): subject:stateOrProvinceName
> (OID: 2.5.4.8)
>
> Country: subject:countryName (OID: 2.5.4.6)
>
> Postal code: subject:postalCode (OID: 2.5.4.17)
>
> *Required/Optional:* City, state, and country – Required; Street and
> postal code – Optional
>
> *Contents:* This field MUST contain the address of the physical
> location of the Subject’s Place of Business.
>
> To address the Required/Optional issue, I propose the following change.
>
> *9.2.7. Subject Physical Address of Place of Business Field*
>
> *Certificate fields:*
>
> Number and street: subject:streetAddress (OID: 2.5.4.9)
>
> City or town: subject:localityName (OID: 2.5.4.7)
>
> State or province (where applicable): subject:stateOrProvinceName
> (OID: 2.5.4.8)
>
> Country: subject:countryName (OID: 2.5.4.6)
>
> Postal code: subject:postalCode (OID: 2.5.4.17)
>
> *Required/Optional:* As stated in Section 7.1.4.2.2 d, e, f, g and h
> of the Baseline Requirements
>
> *Contents:* This field MUST contain the address of the physical
> location of the Subject’s Place of Business.
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org<mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation

--

Cordiali saluti,

Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)



--
Cordiali saluti,

Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)


--

Cordiali saluti,

Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)

--

Cordiali saluti,

Adriano Santoni
ACTALIS S.p.A.
(Aruba Group)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170308/d67c7dd7/attachment-0001.html>


More information about the Validation mailing list