[cabf_validation] Topic for our next VWG call: LEI

Ryan Sleevi sleevi at google.com
Wed Feb 6 12:27:53 MST 2019


On Wed, Feb 6, 2019 at 2:17 PM Doug Beattie via Validation <
validation at cabforum.org> wrote:

> Maybe an example will help:
>
>
>
> A CA issues a certificate to Stripe Inc, Kentucky.  The LEI matches what’s
> in the certificate and the CA asserts all is good at this point in time.
>
>
>
> A week later, the LEI changes the location of Stripe Inc, to New
> Hampshire.  Relying parties now think the CA asserted/verified Stripe Inc,
> New Hampshire because that is in the certificate and bound via digital
> signature in the OU field (although, they are bit confused because the DN
> in the certificate remains Kentucky).  It appears that the CA validated
> both identifies, but in fact, the CA never validated Stripe Inc, New
> Hampshire.
>
>
>
> How do we reconcile this?  I think it’s important that everyone
> understands what was validated, and with the ability of LEI data to change,
> I don’t understand how a CA can include that as validated information.
>

That seems similar in nature to any inclusion of identity in certificates.

Using the Sectigo example (Sorry Rich! I would have tried harder for
another example, but I was lazy), we have a certificate out there stating
that crt.sh is operated by Comodo CA, when in fact, we now know it's
operated by Sectigo.

I think one possible resolution to this is to understand whether LEIs are
unique or if they're reusable. I don't know enough about LEI to have a
clear answer about this, but
https://leismart.com/blog/lei-data-is-not-static/ leaves me to think that
while the assigned LEI may change, LEIs themselves are not reused.

For example, when QuoVadis' certificate operations were taken over by
DigiCert, one can imagine that the LEI 'now' used for transactions with
"QuoVadis" may now be the DigiCert LEI, rather than QuoVadis' "old" LEI. If
that's the scenario, then we're just talking about 'stale' information, and
it overlaps with many of the things we're talking about.

Alternatively, if the LEI is reused - which I view your Stripe Inc/Kentucky
-> Stripe Inc/New Hampshire information to be about - then I agree, we have
a much more serious issue, especially if the state of that LEI at the point
in time the certificate was validated (which, unfortunately, may be 2+
years before it was actually issued) is not obtainable.

Do you have a sense on whether or not the LEI model reuses identifiers,
rather than merely creates or associates new identifiers?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190206/fb6a02cd/attachment.html>


More information about the Validation mailing list