[cabf_validation] Making progress on disclosures of data sources

Ryan Sleevi sleevi at google.com
Thu Apr 23 06:49:53 MST 2020


I'm not sure what this is in reply to, but I also think it's a false
dichotomy. These are all fundamental validation issues.

That is, the data quality issues - such as misencoded states, or incorrect
business categories, or ambiguity about locality - are all areas where we
have rules and expectations, but we see any two CAs reaching different
conclusions, we see the validation agents at the same CA reaching different
conclusions, and we see CAs reaching conclusions that are contrary to the
guidelines.

Registration Agency / Incorporating Agency is not enumerated in the EVGs,
but instead left to CA judgement. We've seen misissued certificates due to
differences of judgement and expectations here. We've similarly seen
misissued certificates that on their face appear correct, but only through
careful analysis (e.g. examining all possible Registration Agency /
Incorporating Agencies for a country with a given serial number) do we
realize that the entity is actually incorporated in an entirely separate
country.

The value of the CA/Browser Forum is about ensuring consistency, among all
CAs, that the information is validated to the same degree, and that quality
is consistently ensured. The entire point is to set forth minimum quality
guidelines, to ensure there's a consistent, repeatable process in place,
that does not depend on the CA selected.

Despite the unprofessional attempts to disrupt the conversation every time,
there is a real crisis of quality. CAs core business is not "issue
certificates" - it's trust. And there's a real lack of trust when there are
CAs issuing for "Some State" or "Default City".

There's a real concern with how unambiguous the existing requirements were,
yet how widespread it was for CAs to claim locally-registered non-profit or
charitable organizations were somehow International Organizations
recognized by "charter, treaty, convention, or other equivalent instrument"
of multiple countries. This is a data quality issue, for sure, but the EV
Guidelines already recognize that it may be necessary for the CAB Forum to
enumerate those, because of how exceptional and rare such organizations are
in practice (8.5.5 (a)) of the EVGs.

Data sources are equally a data quality issue. They're just not visible in
the certificate in the way those other items are, and so pose much greater
risk to Relying Parties. We need consistency if there's to be any value,
and we need consistency if there's to be any trust.

If we disagree on that, then there's something more fundamental at play
here, about what we believe the CA/Browser Forum is for, and why our
documents exist. If CAs are not interested in aligning to ensure consistent
and clear requirements, through transparent processes that improve trust,
then as an industry, it's doomed. And if CAs don't recognize the
persistent, pernicious data quality issues have shaken fundamental trust in
CAs processes and controls, and called into question all areas of CA
judgement, especially in areas of wide latitude afforded despite clear
expectations, such as jurisdictional validation, then they've been ignoring
the wide set of industry issues (to which the previous was only a subset)
that have been revealed in the past year.

On Thu, Apr 23, 2020 at 7:15 AM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> There’s a difference between data quality and data sources.  Defining the
> data sources will not guarantee that the quality is improved.  That can
> only be achieved through automation that implements rigorous field
> validation checks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200423/91b478c9/attachment.html>


More information about the Validation mailing list