Thanks Jeremy, This is great. I filed https://github.com/mozilla/pkipolicy/issues/188 because this seems like something that can be reused and perhaps even required by policy.
On Wed, Sep 11, 2019 at 5:59 PM Jeremy Rowley via dev-security-policy < [email protected]> wrote: > Hi Everyone, > > > > One of my goals at DigiCert is provide greater transparency. One of the > ideas I’ve kicked around is community-drive EV or EV transparency. To > start that off, I thought I’d share the sources we use verification of the > jurisdiction of incorporation/registration here. This list is available > here https://www.digicert.com/legal-repository/ (direct: > https://www.digicert.com/wp-content/uploads/2019/09/DigiCert-Approved-Incorporating-Agencies.xlsx). > Sharing this was suggested from the community and the digicert leadership > team thought it was a great idea. Not only does it get community feedback > on the sources we use (or shouldn’t use), but it may identify sources that > other CAs could use to do the verification. The idea is we could build a > definitive master list that the CAB forum could use for verification of EV. > This would further standardize EV. If we start including a reference to the > source, then someone could easily verify the accuracy of the information > and the identity of an organization. This would solve a major headache > I’ve had with EV – you can’t see where the JOI information originates. > > > > For reference, section 8.5.2 requires a CA to verify the legal existence > of an entity through “a filing with (or an act of) the Incorporating or > Registration Agency in its Jurisdiction of Incorporation or Registration > (e.g., by issuance of a certificate of incorporation, registration number, > etc.) or created or recognized by a Government Agency (e.g. under a > charter, treaty, convention, or equivalent recognition instrument)”. This > is far broader than an incorporating agency, but we use incorporating > agencies as the primary source, and we’re working to eliminate sources like > SEC. This source list combines information from primary and secondary > sources (both incorporating and registration sources). > > > > Sharing this kind of information helps us get to the end-goal of a more > transparent EV ecosystem and builds a more community-driven EV practice. > I’m looking forward to your feedback. Also, let me know if this is > interesting, and what else you’d like to see. > > > > Thanks! > > > > Jeremy > > > > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
