[cabf_validation] Validation Subcommittee - minutes of meeting held

陳立群 realsky at cht.com.tw
Sat Feb 16 07:02:04 MST 2019


Bruce,

    I was present via CISCO WebEx. Thanks

      Li-Chun Chen
      Chunghwa Telecom 

-----Original Message-----
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Bruce
Morton via Validation
Sent: Saturday, February 16, 2019 2:25 AM
To: CA/Browser Forum Validation WG List
Subject: [外部郵件] [cabf_validation] Validation Subcommittee - minutes of
meeting held 14-Feb-2019

Present: Wayne Thayer, Ben Wilson, Doug Beattie, Dean Coclin, Ryan Sleevi,
Bruce Morton, Steve Roylance, Rich Smith, Christof? [BM - I did not record
the attendees, nor were the names on the recording, so this could be
updated]

Agenda:
1. Assign minutes / start recording
2. LEI discussion
3. IDN encodings and related issues
4. Topics for F2F agenda
5. Pending ballots

1. Bruce Morton was assigned to take minutes and Ben started the recording.

2. LEI Discussion
There was no agenda for the LEI discussion. There were some previously
discussed issues presented.
- Do LEIs meet the BR standard for OU?
- LEI information may change over time. The company name may change.
- LEI indication in the certificate is a lookup to other data source which
the CA does not verify.
- How are LEIs assigned or reused?
- If there changes can the history be reviewed? Is it time-stamped?

Response
- LEI is a 20 digit alpha-numeric code with no meaning
- One legal entity has one LEI code ever and no LEI code is ever reused
- If a legal entity is acquired but is independent, then it would keep its
LEI code
- If a legal entity is acquired, but is not independent, then it would be
merged, but the LEI code will remain as retired. Steve Roylance provided an
example, https://www.gleif.org/lei/8156003296F50CB59850

How do we make sure that the LEI code was assigned to the legal entity at
the time of CA validation? How can you cross-check that the CA validated the
LEI code?

Response
- The full history of the reference data is on the site and updated 3 times
per day.
- If the data changes, then it will be updated in the LEI database. So an
address update will be updated.

What guidelines are there for the Local Organization Units (LOUs) to ensure
the data is reliable for all LOUs?

Response
- There is an LOU accreditation process which verifies all processes and
procedures. LOU's are revalidated. LOU's may be asked or additional
information if there is suspicion that the quality is not met. LOU's may be
asked for a remediation plan. An onsite audit may be required.
- There is a challenge process that anyone can open, which the LOU has to
address.

What is the validation process for a CA to match an LEI to a legal entity?
What are the edge cases?

Response
- Rich Smith stated that he would look for a one-to-one match of information
about the entity and the LEI data. Would not allow the data unless it is
fully corroborated.
- Fully corroborated means that all fields have been verified. Partly
corroborated may mean that only one piece of data was not verified.

Ryan was concerned about using GLEIF as a QIIS. More discussion is required.

Steve Roylance provided best practice LEI and certificates
https://www.ubisecure.com/legal-entity-identifier-lei/lei-in-digital-certifi
cates-best-practice-definitions/ 


Agenda items 3, 4 and 5 were not discussed


_______________________________________________
Validation mailing list
Validation at cabforum.org
https://cabforum.org/mailman/listinfo/validation



本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.




More information about the Validation mailing list