[cabf_validation] Draft Ballot for EVG: Disclosure of Registration Agency/Incorporating Agency

Ryan Sleevi sleevi at google.com
Mon Mar 2 07:00:00 MST 2020


On our last call, we discussed some of the difficulty in making forward
progress on harmonizing the jurisdiction fields and the relevant agencies.
On the call, one of the suggestions was to take an approach similar to how
CAA was phased in. The first step is simply to bring transparency, by
having CAs record the Incorporating Agency or Registration Agency that
they're verifying Legal Existence with (per 7.1 (A))

This draft is
https://github.com/cabforum/documents/compare/master...sleevi:2020-03-02-EVG-Jurisdiction
and
is very much a work in progress. If it would help to open a PR for easier
inline discussion and collaborative editing, I'm more than happy to, but I
first wanted to check this was on the 'right' track.

Details and Background:
>From the call, there didn't seem to be much clarity about any challenges
with the timing. No one raised any concerns, but I totally understand that
sometimes, the concerns aren't obvious until there's a concrete proposal.
I'm hoping that if CAs have concerns, they'll be able to concretely share
the challenges, so we can better understand and explore opportunities for
improvements.

On the call, there had been a suggestion to allow after-the-fact
disclosure. While this was considered, one of the significant challenges is
that this becomes very difficult to objectively ensure, as well as creates
opportunities for non-compliance. The biggest question that would arise is
what should happen to an EV Certificate if, by the 91st day, it was
determined that the CA had not disclosed the Agency they used? Would it be
misissued?

Similarly, consider the scenario where a CA does timely disclose the Agency
they used, but then later remove that Agency. While the disclosure
objective would be met, it would be difficult to estimate the scope of
certificates impacted, due to the potential tardiness.

This attempts to avoid the issue entirely, by simply requiring the CA
disclose (outside of their CP/CPS), with some clear documentation about
versioning and date, the sources and values they used. CAs are free to add,
remove, and modify this list at will, without any restrictions, provided
that every certificate they issue aligns with what they've disclosed.

This draft does not put restrictions on the particular implementation; for
example, CAs are not required to implement allow-lists within their CA
software, and instead may allow their validation staff to update the list
on the fly prior to issuance. However, as that would carry a greater risk
of misissuance (if a validation agent failed to update, for example, or
failed to confirm), there's certainly incentives for a CA to use stronger
technical means, but they're not absolutely required.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200302/b712a315/attachment.html>


More information about the Validation mailing list