A whitelist of QGIS sounds fairly difficult. And how long would it take to adopt a new one?
In some states you're going to have an authority per county. It'd be a big list. On Thu, Sep 27, 2018 at 5:35 PM, Ian Carroll via dev-security-policy < [email protected]> wrote: > On Wednesday, September 26, 2018 at 6:12:22 PM UTC-7, Ryan Sleevi wrote: > > Thanks for raising this, Ian. > > > > The question and concern about QIIS is extremely reasonable. As discussed > > in past CA/Browser Forum activities, some CAs have extended the > definition > > to treat Google Maps as a QIIS (it is not), as well as third-party WHOIS > > services (they’re not; that’s using a DTP). > > > > In the discussions, I proposed a comprehensive set of reforms that would > > wholly remedy this issue. Given that the objective of OV and EV > > certificates is nominally to establish a legal identity, and the legal > > identity is derived from State power of recognition, I proposed that only > > QGIS be recognized for such information. This wholly resolves differences > > in interpretation on suitable QIIS. > > > > However, to ensure there do not also emerge conflicting understandings of > > appropriate QGIS - and in particular, since the BRs and EVGs recognize a > > variety of QGIS’s with variable levels of assurance relative to the > > information included - I further suggested that the determination of a > QGIS > > for a jurisdictional boundary should be maintained as a normative > whitelist > > that can be interoperably used and assessed against. If a given > > jurisdiction is not included within that whitelist, or the QGIS is not on > > it, it cannot be used. Additions to that whitelist can be maintained by > the > > Forum, based on an evaluation of the suitability of that QGIS for > purpose, > > and a consensus for adoption. > > > > This would significantly reduce the risk, while also further reducing > > ambiguities that have arisen from some CAs attempting to argue that > > non-employees of the CA or QGIS, but which act as intermediaries on > behalf > > of the CA to the QGIS, are not functionally and formally DTPs and this > > subject to the assessment requirements of DTPs. This ambiguity is being > > exploited in ways that can allow a CA to nominally say it checked a QGIS, > > but is relying on the word of a third-party, and with no assurance of the > > system security of that third party. > > > > Do you think such a proposal would wholly address your concern? > > I think I'll always agree with removing intermediaries from the validation > process. Outside of practical concerns, a whitelist of QGIS entities sounds > like a good idea. > > I would wonder what the replacement for D&B is in the United States. You > can normally get an address for a company from a QGIS but not (from the > states I've seen) a phone number for callback verification. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
