[cabf_validation] Standardizing jurisdiction information

Tim Shirley TShirley at trustwave.com
Thu May 24 13:33:27 MST 2018

In looking at / thinking about opportunities for improvement in EV, one of the most prominent things to me is the current lack of standardization in how a legal entity is identified from certificate to certificate.  The idea is that you can take the values from the following fields and use it to unambiguously identify one and only one legal entity to associate with the website:

Jurisdiction Locality

Jurisdiction State/Province

Jurisdiction Country

Business Category

Serial Number

The trouble I see when looking across multiple EV certificates for the same legal entity today is that the contents of those fields often vary from certificate to certificate.  For example, suppose you have a Private Organization incorporated or registered in London.  What should the 3 jurisdiction location fields be set to?  I've seen:

Jurisdiction Locality = LONDON

Jurisdiction State/Province = London

Jurisdiction Country = GB



Jurisdiction Locality = LONDON

Jurisdiction State/Province = England

Jurisdiction Country = GB



Jurisdiction Locality = LONDON

Jurisdiction Country = GB


And I'm sure if I kept looking I'd find more variants.  There are a variety of other types of variances I've seen:

1.      Cases where the serial number is left-padded with zeroes in some certificates and not others, e.g.

2.      Cases where the same organization is registered in 2 different locales, e.g.

3.      Spelling variances of the locality/state

4.      Differences in abbreviation in organization name

5.      Transliterations of organization name

None of these variances prevent a person from tracking down the legal entity, but they make it difficult for an automated system to do so.  Making it easier to programmatically link web sites to organizations could help in a variety of applications.  For example, a browser-based filter or proxy server could now interpret live page content as it comes back from the server in the context of the owning organization when scoring how much of a risk the page might pose to the end user before displaying it, providing better real-time fraud prevention capabilities than it could from the page content alone.

I could see 2 broad approaches to fixing this:

1.      Tighter rules around what you can put in these fields.  For example, you might have a table of permitted state/province values per country.  Or you might disallow "foreign" registration info to be used here (assuming there is a single authoritative jurisdiction for all organizations; I'm not familiar enough with this area to know if that's a valid assumption).
2.      A globally-unique identifier of the organization rather than (or in addition to) the location-scoped one we have today.

Any thoughts on the value in attacking this problem?

Tim Shirley

Software Architect

t: +1 412.395.2234



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180524/86f22d33/attachment.html>

More information about the Validation mailing list