On Friday, June 14, 2019 at 1:31:12 PM UTC-4, [email protected] wrote: > CAs already have rules allowing a Parent, Subsidiary, or Affiliate (all > defined terms) to obtain certs for domains owned by each other - so > Alphabet-Google, for example, can get certs for domains owned by each other. > So we would use the same rules to make certain the registered trademark owner > is a Parent, Subsidiary, or Affiliate of the EV cert Subject - we would use > information from the SEC or other government securities agencies (including > public filings), and/or other third party data that we have used for the past > 10 years to prove affiliation. Also, remember, we only do trademark > registration validation after we have completed EV validation, so we know who > our certificate customer is. Many companies put their IP assets in an > affiliated company for tax reasons - it should not be difficult to prove > affiliation. If we can't prove it, the logo will not go into the EV cert.
Section 11 of the EV Guidelines has specific language for all cases where information for Parent/Subsidiary/Affiliate companies can be used for validation. Given that validation for trademarks/Logotype extensions is not specified anywhere in the BRs or EV Guidelines, there is no such language allowing the use of trademark data obtained from PSA companies in certificates. Additionally, as Ryan alluded to, it is reasonable to interpret the definition of Subject Identity Information to also encompass any certificate extensions which contain identity information about the Subject. Given this, I believe that EV Guidelines section 9.2.9 is applicable as the intent of that section is clear: no identity information can be included in an EV certificate unless the steps for validation and encoding are thoroughly specified in the EV Guidelines. To assert otherwise is to assert that well defined, rigorous validation steps are not needed for EV certificates. Thanks, Corey _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
