[cabf_validation] QGIS as Verification Source (and its disclosure)

Wed Jun 19 14:28:57 UTC 2024

Hello,
As discussed in the last meeting, I’m sending here a summary of the things mentioned around this topic, so you can chime in and see if this can become a ballot at some point.

Some time ago I prepared the attached deck to help me exposing the issue. I’m sending it again so you can check what was my rational.

In summary, my point is that the EVGL has only explicit wording about “the use of an Incorporating Agency or Registration Agency” as verification sources, in particular also this is only mentioned as needed information sources that need to be disclosed. My understanding that is that the lack of mention to the use of a QGIS would be interpreted as being not allowed as verification source, but the real situation is that in many countries the incorporation or registration agencies don’t have public websites or useable methods for a CA to use them, but we can find in most cases QGIS that publish this information, so CAs are indeed already using QGIS as verification sources, whenever the final agency is not publishing the information.

Also in most cases we will find that these QGIS are working as “aggregators” that compile information from multiple jurisdictions, so it can happen that we use a QGIS that gives information for a whole country, but actually the companies are incorporated/registered at a subordinate level (i.e. state level). This consideration is important to ensure that a CA doesn’t wrongly set the JOI level at the level of the aggregator.

I created this PR that intends to (I hope so) sort out the language of the EVGL to regulate the use of QGIS, while also setting the need to disclose those QGIS appropriately: https://github.com/cabforum/servercert/pull/510

I also took the liberty to amend a bit the definition of “Jurisdiction of Incorporation” and “Jurisdiction of Registration”, because I think those include a wording that is either incorrect or misleading (i.e. expression like “In the context of” would mean that the term being described applies to that context, while IMHO it doesn’t always apply).

During the call there was mention about opening the discussion to particular information sources that aren’t QGIS, such as the GLEIF, so feel free to express here those thoughts.

Thanks and regards,
Pedro

WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240619/02e6dd83/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QGIS in EV.pdf
Type: application/pdf
Size: 92421 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240619/02e6dd83/attachment-0001.pdf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240619/02e6dd83/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3407 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240619/02e6dd83/attachment-0001.p7s>