On Friday, June 14, 2019 at 1:31:12 PM UTC-4, kirkhal...@gmail.com wrote:
> CAs already have rules allowing a Parent, Subsidiary, or Affiliate (all
> defined terms) to obtain certs for domains owned by each other - so
> Alphabet-Google, for example, can get certs for domains owned by each other.
> So we would use the same rules to make certain the registered trademark owner
> is a Parent, Subsidiary, or Affiliate of the EV cert Subject - we would use
> information from the SEC or other government securities agencies (including
> public filings), and/or other third party data that we have used for the past
> 10 years to prove affiliation. Also, remember, we only do trademark
> registration validation after we have completed EV validation, so we know who
> our certificate customer is. Many companies put their IP assets in an
> affiliated company for tax reasons - it should not be difficult to prove
> affiliation. If we can't prove it, the logo will not go into the EV cert.
Section 11 of the EV Guidelines has specific language for all cases where
information for Parent/Subsidiary/Affiliate companies can be used for
validation. Given that validation for trademarks/Logotype extensions is not
specified anywhere in the BRs or EV Guidelines, there is no such language
allowing the use of trademark data obtained from PSA companies in certificates.
Additionally, as Ryan alluded to, it is reasonable to interpret the definition
of Subject Identity Information to also encompass any certificate extensions
which contain identity information about the Subject. Given this, I believe
that EV Guidelines section 9.2.9 is applicable as the intent of that section is
clear: no identity information can be included in an EV certificate unless the
steps for validation and encoding are thoroughly specified in the EV
Guidelines. To assert otherwise is to assert that well defined, rigorous
validation steps are not needed for EV certificates.
Thanks,
Corey
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy