Yes, it would be work, but would result in consistent and reliable information, and already reflective of the fact that an EV certificate needs to identify the jurisdictionOfIncorporation and it's incorporating documents. Or are we saying that OV doesn't need to make sure it's actually a valid and legal entity, and can just display whatever information the CA feels is appropriate? ;)
On Thu, Sep 27, 2018 at 6:48 PM Matthew Hardeman via dev-security-policy < [email protected]> wrote: > A whitelist of QGIS sounds fairly difficult. And how long would it take to > adopt a new one? > > In some states you're going to have an authority per county. It'd be a big > list. > > On Thu, Sep 27, 2018 at 5:35 PM, Ian Carroll via dev-security-policy < > [email protected]> wrote: > > > On Wednesday, September 26, 2018 at 6:12:22 PM UTC-7, Ryan Sleevi wrote: > > > Thanks for raising this, Ian. > > > > > > The question and concern about QIIS is extremely reasonable. As > discussed > > > in past CA/Browser Forum activities, some CAs have extended the > > definition > > > to treat Google Maps as a QIIS (it is not), as well as third-party > WHOIS > > > services (they’re not; that’s using a DTP). > > > > > > In the discussions, I proposed a comprehensive set of reforms that > would > > > wholly remedy this issue. Given that the objective of OV and EV > > > certificates is nominally to establish a legal identity, and the legal > > > identity is derived from State power of recognition, I proposed that > only > > > QGIS be recognized for such information. This wholly resolves > differences > > > in interpretation on suitable QIIS. > > > > > > However, to ensure there do not also emerge conflicting understandings > of > > > appropriate QGIS - and in particular, since the BRs and EVGs recognize > a > > > variety of QGIS’s with variable levels of assurance relative to the > > > information included - I further suggested that the determination of a > > QGIS > > > for a jurisdictional boundary should be maintained as a normative > > whitelist > > > that can be interoperably used and assessed against. If a given > > > jurisdiction is not included within that whitelist, or the QGIS is not > on > > > it, it cannot be used. Additions to that whitelist can be maintained by > > the > > > Forum, based on an evaluation of the suitability of that QGIS for > > purpose, > > > and a consensus for adoption. > > > > > > This would significantly reduce the risk, while also further reducing > > > ambiguities that have arisen from some CAs attempting to argue that > > > non-employees of the CA or QGIS, but which act as intermediaries on > > behalf > > > of the CA to the QGIS, are not functionally and formally DTPs and this > > > subject to the assessment requirements of DTPs. This ambiguity is being > > > exploited in ways that can allow a CA to nominally say it checked a > QGIS, > > > but is relying on the word of a third-party, and with no assurance of > the > > > system security of that third party. > > > > > > Do you think such a proposal would wholly address your concern? > > > > I think I'll always agree with removing intermediaries from the > validation > > process. Outside of practical concerns, a whitelist of QGIS entities > sounds > > like a good idea. > > > > I would wonder what the replacement for D&B is in the United States. You > > can normally get an address for a company from a QGIS but not (from the > > states I've seen) a phone number for callback verification. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
