[cabf_validation] GLEIF discussion today
Kirk Hall
Kirk.Hall at entrustdatacard.com
Thu Feb 14 17:11:25 MST 2019
While I couldn't be on the Validation Subcommittee call today, I was able to listen to it later, and I think it answers a number of the questions I previously had.
Entrust strongly supports the idea of putting LEIs in certificates, but we have had two main concerns: (1) it was not clear what validation procedures LOUs must follow when validating corporations and assigning LEIs (that is still not completely clear to me), and (2) I was very concerned about how CAs could accurately map their validated EV information to the correct LEI number in the GLEIF data base. I don't believe simply matching a company name and address is sufficient (example: Acme, Inc. a Delaware US corporation, could have a subsidiary Acme, Inc., a Bermuda corporation, and both operate from 1 State Street, Chicago - those two companies would have different LEI numbers, but their names and addresses would be identical in the LEI record. How could a CA disambiguate on that data alone?).
To me, the best news is not what I heard on today's call, but what I saw when I visited the GLEIF lookup site today. The data that is displayed is much better than I remembered from last year - and best of all, it actually includes the jurisdiction of incorporation and registry serial number for each corporation along with its corresponding LEI number. In my mind, that is really the only piece of data that is sufficiently strong for matching EV data to an LEI number. (A CA should also confirm the LEI number with the subscriber, and scan the other GLEIF page data such as address to look for anomalies, but the registry serial number is the unique matching bit of data we should be using for EV certs.)
I have pasted in the GLEIF data for Apple, Inc. at the bottom of this message - you see the corporate registry number of C0806592 and the fact it is registered in California. (I checked with the California Sec. of State record, and the data is correct.) Based on the availability of that data in the GLEIF lookup record, I am totally satisfied that CAs can match an organization's EV data to an LEI with confidence, and can include the data in an EV cert. (For now, I would not be willing to say an LEI number can be included in an OV cert, as I don't think there is sufficient data for mapping the LEI to OV validation data with certainty.) We should probably come up with a new EVGL Sec. 11 rule for how to validate and include an LEI in an EV certificate, just for uniformity among CAs.
But I still have one question, and one suggestion.
(1) What exactly does an LOU *do* to validate a new customer when validating organization and assigning an LEI number? We heard that GLEIF maintains a list of approved corporate registry data bases the LOU may use - that's good - but what actual steps does the LOU go through to validate that the customer really is the company found in a corporate registry data base? CAs have extensive, standardized validation rules for that (EVGL Section 11). Does GLEIF also have a set of validation rules for LOUs to follow, and if yes, can GLEIF provide the Validation Subcommittee with a copy?
(2) On a happier note - the ETSI group is about to bring forward a ballot to allow the organizationIdentifier (OI) field authorized already in X.520 to be allowed in the SubjectDN of an EV certificate (in EVGL Section 9.2), along with a VAT number or PSD number. Originally they were also considering an LEI, but I thought that should wait until we had more information. Now that I realize CAs can securely match an LEI number to an EV profile, I believe we should allow all three identifiers in the upcoming ballot, VAT, PSD, and LEI number. So I recommend the orgID ballot authors include all three identifiers to be permitted in their ballot - we would support that.
Here is the Apple, Inc. record in GLEIF:
GLEIF: https://search.gleif.org/#/record/HWUPKR0MPOU8FGXBT394
APPLE INC.
LEI Code HWUPKR0MPOU8FGXBT394Hide
(Primary) Legal Name
APPLE INC.
Other Names
Apple Computer, Inc.
Registered At
Business Entity Records (Secretary of State)
Business Entity Records
California, United States
RA000598
Registered As
C0806592
Jurisdiction Of Formation
US
Entity Legal Form
INCORPORATED
Entity Status
ACTIVE
Headquarters
One Apple Park Way
95014
Cupertino
US-CA
US | United States of America
Legal
C/O C T CORPORATION SYSTEM
818 WEST SEVENTH STREET, SUITE 930
90017
LOS ANGELES
US-CA
US | United States of America
Registration Date
2012-06-06 08:53:00-07:00
Last Update
2018-12-18 07:31:00-08:00
Status
ISSUED
Next Renewal
2019-11-08 16:30:00-08:00
LEI Issuer
Business Entity Data B.V. (GMEI Utility a service of BED B.V.)EVK05KS7XY1DEII3R011<https://search.gleif.org/#/record/EVK05KS7XY1DEII3R011>
Corroboration Level
FULLY_CORROBORATED
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190215/6d8a713e/attachment-0001.html>
More information about the Validation
mailing list