[cabf_validation] GLEIF discussion today

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Feb 14 17:11:25 MST 2019

While I couldn't be on the Validation Subcommittee call today, I was able to listen to it later, and I think it answers a number of the questions I previously had.

Entrust strongly supports the idea of putting LEIs in certificates, but we have had two main concerns: (1) it was not clear what validation procedures LOUs must follow when validating corporations and assigning LEIs (that is still not completely clear to me), and (2) I was very concerned about how CAs could accurately map their validated EV information to the correct LEI number in the GLEIF data base.  I don't believe simply matching a company name and address is sufficient (example: Acme, Inc. a Delaware US corporation, could have a subsidiary Acme, Inc., a Bermuda corporation, and both operate from 1 State Street, Chicago - those two companies would have different LEI numbers, but their names and addresses would be identical in the LEI record.  How could a CA disambiguate on that data alone?).

To me, the best news is not what I heard on today's call, but what I saw when I visited the GLEIF lookup site today.  The data that is displayed is much better than I remembered from last year - and best of all, it actually includes the jurisdiction of incorporation and registry serial number for each corporation along with its corresponding LEI number.  In my mind, that is really the only piece of data that is sufficiently strong for matching EV data to an LEI number.  (A CA should also confirm the LEI number with the subscriber, and scan the other GLEIF page data such as address to look for anomalies, but the registry serial number is the unique matching bit of data we should be using for EV certs.)

I have pasted in the GLEIF data for Apple, Inc. at the bottom of this message - you see the corporate registry number of C0806592 and the fact it is registered in California.  (I checked with the California Sec. of State record, and the data is correct.)  Based on the availability of that data in the GLEIF lookup record, I am totally satisfied that CAs can match an organization's EV data to an LEI with confidence, and can include the data in an EV cert.  (For now, I would not be willing to say an LEI number can be included in an OV cert, as I don't think there is sufficient data for mapping the LEI to OV validation data with certainty.)  We should probably come up with a new EVGL Sec. 11 rule for how to validate and include an LEI in an EV certificate, just for uniformity among CAs.

But I still have one question, and one suggestion.

(1) What exactly does an LOU *do* to validate a new customer when validating organization and assigning an LEI number?  We heard that GLEIF maintains a list of approved corporate registry data bases the LOU may use - that's good - but what actual steps does the LOU go through to validate that the customer really is the company found in a corporate registry data base?  CAs have extensive, standardized validation rules for that (EVGL Section 11).  Does GLEIF also have a set of validation rules for LOUs to follow, and if yes, can GLEIF provide the Validation Subcommittee with a copy?

(2) On a happier note - the ETSI group is about to bring forward a ballot to allow the organizationIdentifier (OI) field authorized already in X.520 to be allowed in the SubjectDN of an EV certificate (in EVGL Section 9.2), along with a VAT number or PSD number.  Originally they were also considering an LEI, but I thought that should wait until we had more information.  Now that I realize CAs can securely match an LEI number to an EV profile, I believe we should allow all three identifiers in the upcoming ballot, VAT, PSD, and LEI number.  So I recommend the orgID ballot authors include all three identifiers to be permitted in their ballot - we would support that.

Here is the Apple, Inc. record in GLEIF:
GLEIF: https://search.gleif.org/#/record/HWUPKR0MPOU8FGXBT394

(Primary) Legal Name
Other Names
Apple Computer, Inc.

Registered At
Business Entity Records (Secretary of State)
Business Entity Records
California, United States
Registered As
Jurisdiction Of Formation
Entity Legal Form
Entity Status


One Apple Park Way




US | United States of America







US | United States of America

Registration Date
2012-06-06 08:53:00-07:00
Last Update
2018-12-18 07:31:00-08:00
Next Renewal
2019-11-08 16:30:00-08:00
LEI Issuer
Business Entity Data B.V. (GMEI Utility a service of BED B.V.)EVK05KS7XY1DEII3R011<https://search.gleif.org/#/record/EVK05KS7XY1DEII3R011>
Corroboration Level

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190215/6d8a713e/attachment-0001.html>

More information about the Validation mailing list