[cabf_validation] EVGL: Question about "overlapping" verification sources

Sat Apr 15 17:17:19 UTC 2023

Hello,
This is my first message in this list, so I’d like to apologise in case these topics are well known and discussed already. I had some exchanges with other members of the forum and it was mentioned the convenience of having this discussion here.

TL;DR: I think the (improper) disclosure of verification sources is messing up things and create a systemic problem. 

We are resuming EV issuance and we have been making some analysis and benchmarking on the different practices about EV certificate verification, and in particular about the verification of incorporation/registration schemas and the matching with the jurisdiction of registration/incorporation in some countries.

Things we found… given the same company “X” of category "Private Organization", existing in a certain country “C”, we can see:
CA 1 issues EV certificate to “X" with registration number N1, issued by the incorporation agency A1, and JOI assigned to country level. 
CA 2 issues EV certificate to “X" with same reg. number N1, issued by same agency A1, but different JOI, for example assigned to locality level. 
CA 3 issues EV certificate to “X" with registration number N2, issued by the incorporation agency A2, and JOI assigned to country level. 

So three different combinations of reg. number and JOI, and this even happens in different certificates issued to the same customer and same CA... Frankly speaking, I think something must be wrong here. 

First of all, I’d like to expose my assumptions, based on an strict reading of the EVGL.
The “Jurisdiction of Incorporation” is defined for the scope of private organizations and government entities.
The “Jurisdiction of registration” is defined for the scope of business entities only
The Jurisdiction of Incorporation/Registration is a characteristic of the organization, which is part of its identity, and the combination of the incorporation/registration number and the related jurisdiction is something that is unique for the organization (i.e. a company incorporated in an agency will be incorporated in a particular and fixed jurisdiction for that agency)
These identity characteristics of the organizations exist before they try to get an EV certificate, so the role of the CA is to retrieve and verify these attributes, but not to make them up on each verification

So, if the EVGL say that for “Private Organization” we need to consider the “Jurisdiction of Incorporation” (and not the Jurisdiction of Registration), and the Incorporation happens once and in a given Jurisdiction… How can it be possible that we have so much variation on combinations of registration numbers and JOI?

Going down the rabbit hole...

Section 11.1.3 sets the need for “Disclosure of Verification Sources”, but then it’s worded in terms of “Disclosure of Incorporating Agency or Registration Agency”, this already creates an issue, because verification sources aren’t necessarily registration or incorporation agencies, but these verification sources can be QGIS that are absolutely valid sources to obtain information about the company.

I’d have specially some questions about the potential side effect of using “overlapping verification sources”.

Let me put an example… In Switzerland we have the ZEFIX (Central Business Name Index), which is a federal resource to find information about the companies. So this is a QGIS that works at the country level, but the companies in Switzerland are incorporated in the cantons, and there are also cantonal registries (same agency where companies are incorporated actually) which allow to find the same information.
Therefore:
I can look for "WISeKey SA” in https://www.zefix.ch <https://www.zefix.ch/> and get information telling me that WISeKey is a company incorporated in the Canton of Geneva, and I can get there the registration number and other details
I can also look for “WISeKey SA” in https://www.ge.ch/recherche-entreprises-dans-registre-du-commerce-geneve and get the same information
I’ve used two overlapping sources, one at country level, other at cantonal level, but obviously the JOI and registration numbers are the same, because it’s the same company registered in the same agency (Registry of Commerce of Geneva).

I could put another example… In Korea, companies are incorporated in the local court, but not all of these courts have public websites that provide tools to retrieve the information to do verifications, so the best approach is to look for the company information in the website of the Supreme Court (https://www.iros.go.kr) and get there all the relevant information of the company, including the registration number and in which court was incorporated (which sets the JOI, that is never at country level). 

So, I have two considerations here:
Section 11.1.3 of the EVGL sets the need to indicate the accepted values for the JOI, for each verification source, but this requirement is quite complex to fulfil when we work with QGIS that operate at country level, but that can respond about incorporation at provincial and local levels.
Some CAs could assume that if they use a QGIS that operates at country level the JOI can be set at country level, and of they pull the (same) information from a local source, the JOI could be different… which is something against all logic, because if we check the information registered by SAME INCORPORATION/REGISTRATION agency, we need to identify the SAME JOI level for the same subscriber, independently of the QGIS that gives us the information. 

Here are my questions…
Has been discussed about setting some "common criteria", country by country, on how to process registration numbers and JOI in a consistent manner, so each CA doesn’t have to reinvent the wheel?
Why the wording of section 11.1.3 has as title “Disclosure of verification sources” but is not talking at all about disclosure of QGIS used by the CA, given the fact that not all registration or incorporation agencies provide useable verification means (e.g. web with search feature)?
How are CAs understanding that is fine the use of overlapping sources in a way that produces inconsistent JOI values for the same customer?

I could be fully misunderstanding the things here, so any help to let me get background the previous discussions to decide on the current approach would be greatly appreciated. 

Next Thursday 20th April I’d be participating in the sub-committee call for the first time… maybe this is something that can also be discussed there.

Thanks and regards,
Pedro

WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230415/10f5e778/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230415/10f5e778/attachment-0001.p7s>