[cabf_validation] [EXTERNAL]- Disclosure of verification sources
Pedro FUENTES
pfuentes at WISEKEY.COM
Fri Apr 21 13:08:21 UTC 2023
Sorry, my proposed text had several typos… Resending it with corrections
Hello,
As discussed yesterday…
The current wording of 11.1.3, not only doesn't mandate to disclose QGIS, but applying strict reading, it would even disallow to use QGIS, but only “Incorporating Agency or Registration Agency”. Given that in many countries these agencies don’t have online search facilities, in many occasions CAs must rely on QGIS to do verifications (i.e. to validate a document presented by the applicant or to find out information the CA itself).
My proposal is to change section 11.1.3, so it opens the possibility to disclose and use QGIS, but without creating a potential issue with the JOI that must be specified in the certificate, which is still “where the applicant is incorporated or registered in a given agency”, so when it happens that incorporation/registration is at State or Locality level, but we are using a country-level QGIS, nobody is tempted to simplify and state a JOI at country-level.
Proposed text:
*******
11.1.3. Disclosure of Verification Sources
Prior to the use of a Verification Source to fulfil these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency, or QGIS. This disclosure SHALL be through an appropriate and readily accessible online means.
This Agency Information SHALL include at least the following:
Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency or QGIS (such as a name, jurisdiction, and website); and,
The accepted value or values for each of the subject:jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1), subject:jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), and subject:jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and,
The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and,
A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list.
The CA MUST document where to obtain this information within Section 3.2 of the CA’s Certificate Policy and/or Certification Practice Statement.
When using a QGIS, the CA will need to ensure that the following conditions are met:
The QGIS informs of:
The name of the Incorporating Agency or Registration Agency where the applicant is incorporated/registered, and
The registration number assigned by the Agency to the Applicant
The Jurisdiction of Incorporation or Registration to be included in the certificate MUST match the accepted values listed for the Agency informed by the QGIS, which MUST also match the jurisdiction of incorporation or registration of the applicant
The CA MUST document where to obtain this information within Section 3.2 of the CA’s Certificate Policy and/or Certification Practice Statement.
*******
As reference, original text:
*******
11.1.3. Disclosure of Verification Sources
Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means.
This Agency Information SHALL include at least the following:
Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and,
The accepted value or values for each of the subject:jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1), subject:jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), and subject:jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and,
The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and,
A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list.
The CA MUST document where to obtain this information within Section 3.2 of the CA’s Certificate Policy and/or Certification Practice Statement.
*******
> On 21 Apr 2023, at 14:03, Pedro FUENTES via Validation <validation at cabforum.org> wrote:
>
> Hello,
> As discussed yesterday…
>
> The current wording of 11.1.3, not only doesn't mandate to disclose QGIS, but applying strict reading, it would even disallow to use QGIS, but only “Incorporating Agency or Registration Agency”. Given that in many countries these agencies don’t have online search facilities, in many occasions CAs must rely on QGIS to do verifications (i.e. to validate a document presented by the applicant or to find out information the CA itself).
>
> My proposal is to change section 11.1.3, so it opens the possibility to disclose and use QGIS, but without creating a potential issue with the JOI that must be specified in the certificate, which is still “where the applicant is incorporated or registered in a given agency”, so when it happens that incorporation/registration is at State or Locality level, but we are using a country-level QGIS, nobody is tempted to simplify and state a JOI at country-level.
>
> Proposed text:
> *******
> 11.1.3. Disclosure of Verification Sources
> Prior to the use of Verification Source to fulfil these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency, or QGIS. This disclosure SHALL be through an appropriate and readily accessible online means.
>
> This Agency Information SHALL include at least the following:
> Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency or QGIS (such as a name, jurisdiction, and website); and,
> The accepted value or values for each of the subject:jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1), subject:jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), and subject:jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and,
> The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and,
> A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list.
> The CA MUST document where to obtain this information within Section 3.2 of the CA’s Certificate Policy and/or Certification Practice Statement.
>
> When using a QGIS, the CA will need to ensure that the following conditions are met:
> The QGIS informs of:
> The name of the Incorporating Agency or Registration Agency where the applicant is incorporated/registered, and
> The registration number assigned by the Agency to the Applicant
> The Jurisdiction of Incorporation or Registration to be included in the certificate MUST match the accepted values listed for the Agency, and will also MUST match the jurisdiction of incorporation or registration of the applicant
>
> The CA MUST document where to obtain this information within Section 3.2 of the CA’s Certificate Policy and/or Certification Practice Statement.
>
> *******
>
> As reference, original text:
> *******
> 11.1.3. Disclosure of Verification Sources
> Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means.
>
> This Agency Information SHALL include at least the following:
> Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and,
> The accepted value or values for each of the subject:jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1), subject:jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), and subject:jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and,
> The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and,
> A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list.
> The CA MUST document where to obtain this information within Section 3.2 of the CA’s Certificate Policy and/or Certification Practice Statement.
> *******
>
>
>
> WISeKey SA
> Pedro Fuentes
> CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00
> Mobile: + 41 (0) 791 274 790
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
> Stay connected with WISeKey <http://www.wisekey.com/>
>
> THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks
>
> CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender
>
> DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_validation&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=Bwcr4Dat2FqXe267PtF1Spm0ksXLK155oeCSYx3dLm0&s=wnkUIcV8RHme0jwYBm1-08cbTTd-u585Bq0jIMyY_do&e=
WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>
THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks
CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender
DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230421/2015a162/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230421/2015a162/attachment-0001.p7s>
More information about the Validation
mailing list