[cabf_validation] Government Entities and section 11.1.3
Stephan Wolf
Stephan.Wolf at Gleif.org
Sat Sep 26 01:49:49 MST 2020
Hi Daniela, et.al.,
The international regulators constituting the LEI Regulatory Oversight Committee (LEI ROC) issued in 2019 an open consultation on government eligibility for LEIs:
https://www.leiroc.org/publications/gls/roc_20191025-1.pdf
As GLEIF, we are awaiting policy guidelines soon which we are going to incorporate in our validation schemes and standards. I will be very happy to update this group on the developments.
I am also excited to report that ISO published the revised ISO 17442 standard including a rule book for embedding LEIs in X.509 certs. Please read more about it here:
https://www.gleif.org/en/newsroom/blog/the-lei-the-missing-ingredient-in-digital-certificate-management and
https://www.iso.org/standard/79917.html
We are working with ISO and ETSI on joint language for the application of the respective standards in eIDAS certificates and seals. Again, I would be happy to update this group on the developments.
Please let me know in case of any questions or remarks individually or via this mailing list.
Best,
Stephan
Stephan Wolf
CEO
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global Legal Entity Identifier Foundation (GLEIF)
Mobile: +49 151 52753557
Web: www.gleif.org
Von: Validation <validation-bounces at cabforum.org> im Auftrag von Daniela Hood via Validation <validation at cabforum.org>
Antworten an: Daniela Hood <dxhood at godaddy.com>, CA/Browser Forum Validation SC List <validation at cabforum.org>
Datum: Samstag, 26. September 2020 um 01:46
An: Ryan Sleevi <sleevi at google.com>
Cc: CA/Browser Forum Validation SC List <validation at cabforum.org>
Betreff: Re: [cabf_validation] Government Entities and section 11.1.3
Hi Ryan,
Thank you for your prompt answers. The clarifications provided by your e-mails are truly appreciated.
We agree with your statements about Business Entities and Private Organizations and it has been our understanding all along.
The question really came down when thinking of Government Entities, and I will pass along the information provided to the respective teams.
Thanks again,
Daniela Hood
From: Ryan Sleevi <sleevi at google.com>
Sent: Friday, September 25, 2020 4:24 PM
To: Daniela Hood <dxhood at godaddy.com>
Cc: CA/Browser Forum Validation SC List <validation at cabforum.org>
Subject: Re: [cabf_validation] Government Entities and section 11.1.3
Notice: This email is from an external sender.
Yes.
While disclosure is always good, as you note, the specification sections with respect to Government Entity Subjects don't make use of the defined terms Registration Agency or Incorporating Agency, and thus wouldn't be part of disclosure of Registration Agency or Incorporating Agency.
This reply is in the context of Government Entities; as noted, Business Entities and Private Organizations do make use of the term, and thus Verified Professional Letters are still in scope, with respect to the CA disclosing those sources used by the Verified Professional Letter.
On Fri, Sep 25, 2020 at 7:01 PM Daniela Hood <dxhood at godaddy.com> wrote:
Hey Ryan,
Thank you very much for your answer.
Our understanding of how this applies to Private Organizations and Business Entities is on point with what you said. We still appreciate the clarification though.
To clarify about Government Entities, the sections we are referring to are:
4. Definitions
“Jurisdiction of Incorporation: In the context of a Private Organization, the country and (where applicable) the state or province or locality where the organization's legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the context of a Government Entity, the country and (where applicable) the state or province where the Entity's legal existence was created by law.”
11.2.2.(2)
“(2) Government Entity Subjects: Unless verified under subsection (6), all items listed in Section 11.2.1(2) MUST either be verified directly with, or obtained directly from, one of the following: (i) a Qualified Government Information Source in the political subdivision in which such Government Entity operates; (ii) a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or (iii) from a judge that is an active member of the federal, state or local judiciary within that political subdivision.
Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in Section 11.11.1.
Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source.”
11.2.2.(6)
“(6) The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if (i) the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and (ii) the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS.”
None of these sections reference using an incorporation or registration agency, but it allows for the use of a Professional Letter to verify legal existence, identity and jurisdiction.
Our question is if we receive a Professional Letter referencing (and accompanied by) a government act, does the Government Agency who enacted that act need to be on the disclosure list? It is our understanding from previous conversations within the validation committee that it would not need to be included on the disclosure list. It is also our understanding that this ballot does not change validation of Government Entities at all.
Would you agree with that?
Daniela Hood
GoDaddy | Compliance Manager
+16026881766
Arizona, United States
dxhood at godaddy.com
From: Ryan Sleevi <sleevi at google.com>
Sent: Thursday, September 24, 2020 11:51 AM
To: Daniela Hood <dxhood at godaddy.com>; CA/Browser Forum Validation SC List <validation at cabforum.org>
Subject: Re: [cabf_validation] Government Entities and section 11.1.3
Notice: This email is from an external sender.
On Thu, Sep 24, 2020 at 2:07 PM Daniela Hood via Validation <validation at cabforum.org> wrote:
Hello All,
The team brought up something about the implementation of ballot SC30, that I wanted to get some clarifications.
I have asked a similar question before and Ryan was kind enough to answer, but the way it is written still causing multiple interpretations.
“Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency.”
1-Some members of the team read that this does not affect sub section 6 Professional Opinion Letters.
2-Others read that, it does affect because on the letter it discloses the jurisdiction.
#2 is correct.
That is, Verified Professional Letters (11.2.2 (6)) used to establish the information required by 11.2.2 (1) still requires disclosure of the Incorporating Agency or Registration Agency used by the Verified Professional Letter.
That is, while a Verified Professional Letter allows the CA to not have to directly verify with the Incorporating or Registration Agency, the issuer of the Verified Professional Letter is still required to perform that task, and required to provide supporting documentation to that effect (e.g. "certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act" all have, in some way, a scoping of the jurisdiction information and tied to such an Agency, at least with respect to Private Organizations or Business Entity Subjects)
Put differently, the goal for disclosure is the set of sources in 11.2.1(1)(A)/(C) and 11.2.1(3)(A)/(C), as these use Incorporating / Registration Agencies. 11.2.2 describes methods of validating that information, but at the core, the information required by 11.2.1 still has to be obtained, and that's what is being disclosed here, regardless of how 11.2.2 validated it.
When I asked this previously, Ryan clarified that for Business Entities second option would be true, however the same is not applicable for Government Entities.
My goal it is to make sure we are all on the same page here and that the section 11.1.3 of the EV Guidelines does not pertain to Government Entities.
If that is the case, I would also suggest the addition of clarification language, so people that are in the industry but do not participate in this forum, are also aware of the intent of this section.
Any thoughts, suggestions?
I guess I'm not sure the relationship between Verified Professional Letters and Government Entities here, in the context of 11.1.3, since it only discusses Incorporating Agency / Registration Agency.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200926/4949742e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1891 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200926/4949742e/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1926 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200926/4949742e/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 6006 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200926/4949742e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 20470 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200926/4949742e/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2531 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200926/4949742e/attachment-0001.p7s>
More information about the Validation
mailing list