[cabf_validation] [EXTERNAL]Re: Proposed draft Ballot 225 to strengthen EVGL 11.6 - Operational Existence

Tim Hollebeek tim.hollebeek at digicert.com
Wed May 23 12:01:16 MST 2018

Well, it certainly wouldn’t make sense to explicitly list the countries where EV issuance is permitted.  We should layer improvements atop the existing rules, to avoid undue impact on existing EV certificates in existing browsers.  Browsers can do what they want with information like “this certificate is an EV certificate, with the following validation enhancements that are appropriate for an allowed for the corresponding country code.”  Though to keep complexity down, it’s probably better to have a simpler model where we have something like “here are the 2019 identity validation goals for a defined security level, and here’s the 2019 validation rules for the US for that level.”


For the specific case of tax rules, we could do the same thing, especially in cases where the tax rules differ enough to have a tangible impact on the quality of the validation, but financial stuff tends to be an area where the world is a bit more homogeneous, for obvious practical reasons.


Likewise, for others of these as well, there are certain cases and large portions of the world that are homogeneous enough that a general rules will work.  “Here’s how you validate operational existence using financial information for a country in the eurozone” might make sense as an example.




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, May 23, 2018 12:52 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] [EXTERNAL]Re: Proposed draft Ballot 225 to strengthen EVGL 11.6 - Operational Existence


Should that same logic apply for those with such tax authorities?


That is, wouldn't it make sense to explicitly list the countries where EV issuance is permitted, according to these rules? That would certainly make it far easier to note which countries are permitted to obtain EV certificates, and what methods for each country are acceptable for that validation, on a country-by-country basis. This uniformity in approach would make it easier to avoid misinterpretation about whether or not a given jurisdiction meets the requirements posed.


On Wed, May 23, 2018 at 12:35 PM, Tim Hollebeek via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:


I’ve supported this for a long time. As much as I hate country-by-country rules, I don’t think jurisdiction-neutral validation requirements can always be written for requirements like this.  The world’s legal systems are just too diverse.  I think even with very good rules, country-specific exceptions are inevitable.

We had similar issues with questions of simple geography, which don’t have uniform global understandings.


I’d suggest this:  Let CAs who operate in other countries propose future amendments to EVGL 11.6 on a country-by-country basis, with reasons (e.g., “we can’t do those checks here because…”) and with a proposal for an alternative method for verifying an Applicant’s “operational existence” in that country, with facts and evidence.  The Forum can then review adopt those proposals on a country-by-country basis – limited to Applicants in those countries only – and add them in an Appendix to the EVGL.  This can grow over time as needed.

Validation mailing list
Validation at cabforum.org <mailto:Validation at cabforum.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180523/6057f91d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180523/6057f91d/attachment.p7s>

More information about the Validation mailing list