[cabf_validation] Validation Subcommittee - minutes of meeting held 14-Feb-2019

Dean Coclin dean.coclin at digicert.com
Sat Feb 16 07:06:20 MST 2019


GLEIF members were Christoph (Head of IT Development and Operations) and
Zornitsa (Head of Data Quality).

-----Original Message-----
From: Validation <validation-bounces at cabforum.org> On Behalf Of Bruce Morton
via Validation
Sent: Friday, February 15, 2019 1:25 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [cabf_validation] Validation Subcommittee - minutes of meeting held
14-Feb-2019

Present: Wayne Thayer, Ben Wilson, Doug Beattie, Dean Coclin, Ryan Sleevi,
Bruce Morton, Steve Roylance, Rich Smith, Christof? [BM - I did not record
the attendees, nor were the names on the recording, so this could be
updated]

Agenda:
1. Assign minutes / start recording
2. LEI discussion
3. IDN encodings and related issues
4. Topics for F2F agenda
5. Pending ballots

1. Bruce Morton was assigned to take minutes and Ben started the recording.

2. LEI Discussion
There was no agenda for the LEI discussion. There were some previously
discussed issues presented.
- Do LEIs meet the BR standard for OU?
- LEI information may change over time. The company name may change.
- LEI indication in the certificate is a lookup to other data source which
the CA does not verify.
- How are LEIs assigned or reused?
- If there changes can the history be reviewed? Is it time-stamped?

Response
- LEI is a 20 digit alpha-numeric code with no meaning
- One legal entity has one LEI code ever and no LEI code is ever reused
- If a legal entity is acquired but is independent, then it would keep its
LEI code
- If a legal entity is acquired, but is not independent, then it would be
merged, but the LEI code will remain as retired. Steve Roylance provided an
example,
https://clicktime.symantec.com/3UW6Cj36pKJCZdnWfjTpgbA7Vc?u=https%3A%2F%2Fww
w.gleif.org%2Flei%2F8156003296F50CB59850

How do we make sure that the LEI code was assigned to the legal entity at
the time of CA validation? How can you cross-check that the CA validated the
LEI code?

Response
- The full history of the reference data is on the site and updated 3 times
per day.
- If the data changes, then it will be updated in the LEI database. So an
address update will be updated.

What guidelines are there for the Local Organization Units (LOUs) to ensure
the data is reliable for all LOUs?

Response
- There is an LOU accreditation process which verifies all processes and
procedures. LOU's are revalidated. LOU's may be asked or additional
information if there is suspicion that the quality is not met. LOU's may be
asked for a remediation plan. An onsite audit may be required.
- There is a challenge process that anyone can open, which the LOU has to
address.

What is the validation process for a CA to match an LEI to a legal entity?
What are the edge cases?

Response
- Rich Smith stated that he would look for a one-to-one match of information
about the entity and the LEI data. Would not allow the data unless it is
fully corroborated.
- Fully corroborated means that all fields have been verified. Partly
corroborated may mean that only one piece of data was not verified.

Ryan was concerned about using GLEIF as a QIIS. More discussion is required.

Steve Roylance provided best practice LEI and certificates
https://clicktime.symantec.com/36kPJTZrDUaFyYw4duGqa677Vc?u=https%3A%2F%2Fww
w.ubisecure.com%2Flegal-entity-identifier-lei%2Flei-in-digital-certificates-
best-practice-definitions%2F 


Agenda items 3, 4 and 5 were not discussed


_______________________________________________
Validation mailing list
Validation at cabforum.org
https://clicktime.symantec.com/3MW4q81MheH8Y3hqE8w9ufC7Vc?u=https%3A%2F%2Fca
bforum.org%2Fmailman%2Flistinfo%2Fvalidation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20190216/01294353/attachment.p7s>


More information about the Validation mailing list