Disallowed company name

[James Burton]

I posted this also on the CAB Forum validation mailing list but I think
it's worthy of discussion on both lists.


I recently incorporated the company named ";", see:
https://beta.companieshouse.gov.uk/company/11363219. This company compiles with
the both the "Companies Act 2006" and "The Company, Limited Liability
Partnership and Business (Names and Trading Disclosures) Regulations 2015".


Now the current guidelines state that this type of name is not allowed due
to regulation 7.1.4.2.2 (j). I misinterpret this regulation and I thought
that because this name is complete and incorporated that the name should be
allowed in the O field. I was corrected by forum member.


This is wrong and should be changed to allow all types of legally
incorporated company names to get certificates. I understand this
doesn't fit any of the standard company name profiles you've seen but this
company name can be used in practice and I can think of many business
types that would love this type of name.


Thank you


James Burton

[Peter Saint-Andre]

We can also think of many business types (e.g., scammers) that would
love to have names like ⒶⓅⓅⓁⒺ but that doesn't mean it's smart to issue
certificates with such names. The authorities who approve of company
names don't necessarily have certificate handling in mind...

Just my centigram of silver...

Peter

[Matthew Hardeman]

On Thu, May 31, 2018 at 3:38 PM, James Burton via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

>
> I recently incorporated the company named ";", see:
> https://beta.companieshouse.gov.uk/company/11363219. This company
> compiles with
> the both the "Companies Act 2006" and "The Company, Limited Liability
> Partnership and Business (Names and Trading Disclosures) Regulations 2015".
>
>

...

> This is wrong and should be changed to allow all types of legally
> incorporated company names to get certificates. I understand this
> doesn't fit any of the standard company name profiles you've seen but this
> company name can be used in practice and I can think of many business
> types that would love this type of name.
>

I don't mean to be dismissive of the name -- which is hilarious -- but it
is difficult to imagine a business choosing to actually trade under that
name.

It is unlikely a bank will be willing to open an account so named. Even if
that were achieved, it is unlikely anyone's payables department is going to
be able to cut a check in favor of that name.

I wonder if you've ever annoyed a taxing authority? They have far less
humor than one might imagine.

Just because you've formed a legal entity with such a name does not mean
that others will regard it with legitimacy. They certainly might not in
terms of engaging in actual commerce. Perhaps with respect to
certificate's organization names it should be in the certificate as it is
in life. No one would choose to use that name in an actual business that
intends to be paid. Perhaps no certificate should feature that name either.

But why not name it "Attention '; DELETE FROM users; DELETE FROM user;
DELETE FROM customers; DELETE FROM customer; DELETE FROM client; DELETE
FROM clients; COMMIT; Injection, The Sequel, LLP"?

In the case of a business merely named ";", there's the burden that this
entity name, even if legal in some jurisdiction, is so nondescript and
vague as that any financial transaction with it would be questioned. A
certificate should not issue in such a name.

[Kristian Fiskerstrand]

On 05/31/2018 11:54 PM, Matthew Hardeman via dev-security-policy wrote:
> I wonder if you've ever annoyed a taxing authority? They have far less
> humor than one might imagine.
>
> Just because you've formed a legal entity with such a name does not mean
> that others will regard it with legitimacy. They certainly might not in
> terms of engaging in actual commerce. Perhaps with respect to
> certificate's organization names it should be in the certificate as it is
> in life. No one would choose to use that name in an actual business that
> intends to be paid. Perhaps no certificate should feature that name either.
>
> But why not name it "Attention '; DELETE FROM users; DELETE FROM user;
> DELETE FROM customers; DELETE FROM customer; DELETE FROM client; DELETE
> FROM clients; COMMIT; Injection, The Sequel, LLP"?

I'm sorry if this is considered off-topic, but as a point of trivia,
related to tax authority and business name discussion has a practical
example from the Norwegian business entity names in 2009;

https://w2.brreg.no/kunngjoring/hent_en.jsp?kid=20090000106309&sokeverdi=979829299&spraak=en

New business enterprise name: ';UPDATE TAXRATE SET RATE = 0 WHERE NAME =
'EDVIN SYSE'

they have a write-up on it on
https://blogg.syse.no/syse-data-og-bronnoysundregistrene/ in Norwegian,
although you'll find discussions about it if doing a:
https://www.google.no/search?q=edvin+taxrate

Apparently it generated so much traffic to the business registry that
they were requested to change the name...

--
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

[Matthew Hardeman]

On Thu, May 31, 2018 at 4:18 PM, Peter Saint-Andre via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
>
>
> We can also think of many business types (e.g., scammers) that would
> love to have names like ⒶⓅⓅⓁⒺ but that doesn't mean it's smart to issue
> certificates with such names. The authorities who approve of company
> names don't necessarily have certificate handling in mind...
>

Indeed. Most of the government offices responsible for approving entity
creation are concerned first and foremost with ensuring that a unique name
within their jurisdiction is chosen and that a public record of the entity
creation exists. They are not concerned with risk management or
legitimacy, broadly speaking.

Anyone at any level of risk management in the rest of the ecosystem around
a business will be concerned with such matters. Banks, trade vendors, etc,
tend to reject accounts with names like this. Perhaps CAs should look upon
this similarly.

[Matthew Hardeman]

On Thu, May 31, 2018 at 5:03 PM, Kristian Fiskerstrand <k...@gentoo.org>
wrote:

>
> New business enterprise name: ';UPDATE TAXRATE SET RATE = 0 WHERE NAME =
> 'EDVIN SYSE'
>
> they have a write-up on it on
> https://blogg.syse.no/syse-data-og-bronnoysundregistrene/ in Norwegian,
> although you'll find discussions about it if doing a:
> https://www.google.no/search?q=edvin+taxrate
>
> Apparently it generated so much traffic to the business registry that
> they were requested to change the name...
>

That's hilarious. Where I'm from they'd accuse you of attempting to hack
them, though likely not actually attempt to prosecute it.

Instead, the filer would get flagged for manual in-person audits of every
conceivable type each year up to and beyond year of death.

[Wayne Thayer]

On Thu, May 31, 2018 at 8:39 PM James Burton via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

>
> This is wrong and should be changed to allow all types of legally
> incorporated company names to get certificates. I understand this
> doesn't fit any of the standard company name profiles you've seen but this
> company name can be used in practice and I can think of many business
> types that would love this type of name.
>

> In my opinion, this is just a rehash of the same debate we've been having
over misleading information in certificates ever since James obtained the
"Identity Verified" EV certificate. The options we have to address this
seem to be:
1. Accept that some entities, based on somewhat arbitrary rules and
decisions, can't get OV or EV certs
2. Accept that the organization information in certificates will sometimes
be misleading or at least uninformative
3. Decide that organization information in certificates is irrelevant and
ignore it, or get rid of it

We currently have chosen "some parts of all of the above" :-)

I am most interested in exploring the first option since that is the
direction CAs are headed with the recent proposal to limit EV certificates
to organizations that have existed for more than 18 months [1]. As long as
anyone can obtain a DV certificate, are restrictions on who can obtain an
OV or EV certificate a problem, and if so, why?

[1] https://cabforum.org/pipermail/validation/2018-May/000882.html

[Kristian Fiskerstrand]

On 06/01/2018 12:14 AM, Matthew Hardeman via dev-security-policy wrote:
> On Thu, May 31, 2018 at 5:03 PM, Kristian Fiskerstrand <k...@gentoo.org>
> wrote:
>
>>
>> New business enterprise name: ';UPDATE TAXRATE SET RATE = 0 WHERE NAME =
>> 'EDVIN SYSE'
>>
>> they have a write-up on it on
>> https://blogg.syse.no/syse-data-og-bronnoysundregistrene/ in Norwegian,

I was wrong, there is an English description at the bottom

>> Apparently it generated so much traffic to the business registry that
>> they were requested to change the name...
>>
>
> That's hilarious. Where I'm from they'd accuse you of attempting to hack
> them, though likely not actually attempt to prosecute it.
>

The name was changed after two days to
https://w2.brreg.no/kunngjoring/hent_en.jsp?kid=20090000109089&sokeverdi=979829299&spraak=en

New business enterprise name: BOBBY'S UNCLE EDVIN 'TABLES' SYSE

As they state in the blog post, the name was originally in tribute to:
"""
The name is a reference to an old XKCD-strip:

http://xkcd.com/327/

[Jeremy Rowley]

*Some cas. I don’t think the 18 month requirement is a universal position and may not even be a majority view. I think there’s other ideas that are better and add more value than simply extending the time a company is required to exist to get the cert.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[Peter Gutmann]

Matthew Hardeman writes:

>Banks, trade vendors, etc, tend to reject accounts with names like this.

Do they?

https://www.flickr.com/photos/nzphoto/6038112443/

Peter.

[Peter Gutmann]

Matthew Hardeman writes:
>On Thu, May 31, 2018 at 5:03 PM, Kristian Fiskerstrand <k...@gentoo.org> wrote:
>
>> New business enterprise name: ';UPDATE TAXRATE SET RATE = 0 WHERE NAME =
>> 'EDVIN SYSE'
>

>That's hilarious. Where I'm from they'd accuse you of attempting to hack
>them, though likely not actually attempt to prosecute it.

Some years ago I sent a cert request to a public CA's test server that
contained, among other things, the following:

static const CERT_DATA certReqData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "US" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "SSL Certificates" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Robert';DROP TABLE certificates;--" ) },

(it's part of the standard self-test data that I use for my own code, used to
be a different SQLI string but I changed it to Bobby Tables as an homage to
XKCD).

Their test server went offline for several days.

I was nice enough not to submit the request to their production systems.

Peter.

[Peter Gutmann]

Matthew Hardeman writes:

>I wonder if you've ever annoyed a taxing authority? They have far less humor
>than one might imagine.

I used to have the account name administrator@<tax authority>, after trying
various SQLI@<tax authority> names and being somewhat disappointed that no
fireworks ensued. They were rather amused, and probably a bit proud of the
fact that no fireworks ensued.

Peter.

[Peter Kurrasch]

Regarding the options listed, I would agree with the first 2 but disagree with the third.

My characterization of this situation is as follows:

1. Trust is not granted to everyone. This is true in virtual realms as well as the real world. For example, not everyone in this forum trusts me (and perhaps shouldn't). 

2. Bad actors will resort to trickery, lies, and deception to get what they want and sometimes they will be successful despite every effort to stop them.

3. The onus is on CA's to prove that "additional validation" equals "more trustworthy". Their failure to do so will lead to the demise of EV.

Security can be viewed as a series of AND's that must be satisfied in order to conclude "you are probably secure". For example, when you browse to an important website, make sure that "https" is used AND that the domain name looks right  AND that a "lock icon" appears in the UI AND, if the site uses EV certs, that the name of the organization seems correct. Failing any of those, stop immediately; if all of them hold true, you are probably fine.

As the token bad guy in this forum, I have to make all of those steps happen if I expect to trick my victims. If I bother to get an EV cert but the name wildly mismatches for my particular objective, there's an increased chance my efforts at deception will fail. If any of those steps are taken away, my job is that much easier.

From: Wayne Thayer via dev-security-policy Sent: Thursday, May 31, 2018 5:39 PM‎

...

[Ryan Hurst]

re: Most of the government offices responsible for approving entity creation are concerned first and foremost with ensuring that a unique name within their jurisdiction is chosen

What makes you say that, most jurisdictions have no such requirement.

[Ryan Sleevi]

On Fri, Jun 1, 2018 at 9:14 AM, Peter Kurrasch via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Security can be viewed as a series of AND's that must be satisfied in
> order to conclude "you are probably secure". For example, when you browse
> to an important website, make sure that "https" is used AND that the domain
> name looks right AND that a "lock icon" appears in the UI AND, if the site
> uses EV certs, that the name of the organization seems correct. Failing any
> of those, stop immediately; if all of them hold true, you are probably fine.
>

Note that research has shown that your first, second, third, and fourth
options are all unreasonable requests of humans trying to be productive.

That is, https is unnecessarily confusing, "the domain looks right" is an
unreasonable task (might as well say "Make sure the fabardle is boijoing"
when presenting domains), and lock icons positive indicator is unnecessary
hostile. And that's before we get to EV certs (are you saying I shouldn't
do business with KLM?)

So basically, all four steps are unreasonable to determine you're fine :)

[Peter Saint-Andre]

Yes, it's a shame that we technologists have abjectly failed at
producing usable security.

However, given the mess we've made of things, we can at least do our
best to protect protect users with the weak and faulty mechanisms we've
created (and work to create better ones). What policies are appropriate
for organizational names in certificates?

Peter

[Jeremy Rowley]

Can you point to a jurisdiction that allows you to register the same name? I've never seen an example where it's permitted. Maybe the UK?

-----Original Message-----
From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=digice...@lists.mozilla.org> On Behalf Of Ryan Hurst via dev-security-policy
Sent: Friday, June 1, 2018 9:28 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Disallowed company name

On Thursday, May 31, 2018 at 3:07:36 PM UTC-7, Matthew Hardeman wrote:

re: Most of the government offices responsible for approving entity creation are concerned first and foremost with ensuring that a unique name within their jurisdiction is chosen

What makes you say that, most jurisdictions have no such requirement.

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org

https://clicktime.symantec.com/a/1/H8qZVRE5_iLNO8giNWdHECRPUnhWmem4t7fNC9FYfaI=?d=3yPd_yGx1m4dQz3H1uWi0wkNACGDGvIL4Z--LNoP9eDPIWeD0dhf9Ol_tFkJGBJFFgtnLt2HO_UCbFnaqQu3zUWQTHxGduRJO0a_H4yYE3qhYRX3wzvleMJ_cCcflYSP6doSbnmNReFJlR_Gjut8oNV6EnnecC1kzxXkdJG19OPUi3qjxKSp_r4Tlk3ExNNIwR3DF26nn1z6wKDyzP1siUdOGQT4oa70wTAPNZrK417n5z35ynmL65-hmQXBJkPLvbJL_UkzAgimEa4Sjh8YgHtKR2tCSas65vpsh0YyIXTny7Puzb8Hvs9uNxGPMfSyStkq2pMn3jZpzjfKsgYMMKDzdouOUktqhPACnhr6Qsx3ZdCTubWI8EkLpQsj4nYxjihAKD9mM-9LyUQGRh4mQOOQ0U4zY3qAE6fPOz-Upa5efnAlQhO0GtTkcOHiosY%3D&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy

[James Burton]

Hi Jeremy,

In the UK it would be class as “same as” and therefore wouldn’t be allowed
to be incorporated. You can see this in the links:

Companies Act 2006:
https://www.legislation.gov.uk/ukpga/2006/46/part/5/chapter/3

The Company, Limited Liability Partnership and Business (Names and Trading

Disclosures) Regulations 2015:
http://www.legislation.gov.uk/uksi/2015/17/regulation/7/made


James Burton

On Fri, 1 Jun 2018 at 20:32, Jeremy Rowley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Can you point to a jurisdiction that allows you to register the same name?
> I've never seen an example where it's permitted. Maybe the UK?
>
> -----Original Message-----
> From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=
> digice...@lists.mozilla.org> On Behalf Of Ryan Hurst via
> dev-security-policy
> Sent: Friday, June 1, 2018 9:28 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Disallowed company name
>
> On Thursday, May 31, 2018 at 3:07:36 PM UTC-7, Matthew Hardeman wrote:

> re: Most of the government offices responsible for approving entity

> creation are concerned first and foremost with ensuring that a unique name
> within their jurisdiction is chosen
>

> What makes you say that, most jurisdictions have no such requirement.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
>
> https://clicktime.symantec.com/a/1/H8qZVRE5_iLNO8giNWdHECRPUnhWmem4t7fNC9FYfaI=?d=3yPd_yGx1m4dQz3H1uWi0wkNACGDGvIL4Z--LNoP9eDPIWeD0dhf9Ol_tFkJGBJFFgtnLt2HO_UCbFnaqQu3zUWQTHxGduRJO0a_H4yYE3qhYRX3wzvleMJ_cCcflYSP6doSbnmNReFJlR_Gjut8oNV6EnnecC1kzxXkdJG19OPUi3qjxKSp_r4Tlk3ExNNIwR3DF26nn1z6wKDyzP1siUdOGQT4oa70wTAPNZrK417n5z35ynmL65-hmQXBJkPLvbJL_UkzAgimEa4Sjh8YgHtKR2tCSas65vpsh0YyIXTny7Puzb8Hvs9uNxGPMfSyStkq2pMn3jZpzjfKsgYMMKDzdouOUktqhPACnhr6Qsx3ZdCTubWI8EkLpQsj4nYxjihAKD9mM-9LyUQGRh4mQOOQ0U4zY3qAE6fPOz-Upa5efnAlQhO0GtTkcOHiosY%3D&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Matthew Hardeman]

On Fri, Jun 1, 2018 at 10:28 AM, Ryan Hurst via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

>
> re: Most of the government offices responsible for approving entity

> creation are concerned first and foremost with ensuring that a unique name
> within their jurisdiction is chosen
>

> What makes you say that, most jurisdictions have no such requirement.
>
>

This was anecdotal, based on my own experience with formation of various
limited liability entities in several US states.

Even my own state of Alabama, for example, (typically regarded as pretty
backwards) has strong policies and procedures in place for this.

In Alabama, formation of a limited liability entity whether a Corporation
or LLC, etc, begins with a filing in the relevant county probate court of
an Articles of Incorporation, Articles or Organization, trust formation
documents, or similar. As part of the mandatory filing package for those
document types, a name reservation certificate (which will be validated by
the probate court) from the Alabama Secretary of State will be required.
The filer must obtain those directly from the appropriate office of the
Alabama Secretary of State. (It can be done online, with a credit card.
The system enforces entity name uniqueness.)

[Matthew Hardeman]

On Thu, May 31, 2018 at 8:38 PM, Peter Gutmann <pgu...@cs.auckland.ac.nz>
wrote:

>
> >Banks, trade vendors, etc, tend to reject accounts with names like this.
>

> Do they?
>
> https://www.flickr.com/photos/nzphoto/6038112443/


I would hope that we could agree that there is generally a different risk
management burden in getting a store loyalty tracking card versus getting a
loan or even opening a business demand deposit account.

[James Burton]

I've spoke with a few UK banks about a opening bank account for ";" and
they are happy to proceed.

James Burton

On Fri, Jun 1, 2018 at 11:58 PM Matthew Hardeman <mhar...@gmail.com>
wrote:

[Peter Gutmann]

Matthew Hardeman <mhar...@gmail.com> writes:
>>On Thu, May 31, 2018 at 8:38 PM, Peter Gutmann <pgu...@cs.auckland.ac.nz>
>>wrote:
>>
>>>Banks, trade vendors, etc, tend to reject accounts with names like this.
>>
>>Do they?
>>
>>https://www.flickr.com/photos/nzphoto/6038112443/
>
>I would hope that we could agree that there is generally a different risk
>management burden in getting a store loyalty tracking card versus getting a
>loan or even opening a business demand deposit account.

I haven't gone through the full process of opening an account since I didn't
want to actually open a real account, but got most of the way through with
Bobby Tables, so it seems possible here. The account name is pretty much
irrelevant, all that matters is the account number. Then on making a payment
you get texted the details of the transaction (to/from/amount/etc) and asked
to approve it. The name never crops up.

In terms of tax filing it's the same, what matters is your taxpayer number,
not whether you want to file your return as Mister Mxyzptlk.

Peter.

[Lee]

On 6/1/18, Ryan Sleevi wrote:

> On Fri, Jun 1, 2018 at 9:14 AM, Peter Kurrasch wrote:
>
>> Security can be viewed as a series of AND's that must be satisfied in
>> order to conclude "you are probably secure". For example, when you browse
>> to an important website, make sure that "https" is used AND that the
>> domain name looks right AND that a "lock icon" appears in the UI AND,
>> if the site uses EV certs, that the name of the organization seems
>> correct. Failing any of those, stop immediately; if all of them hold
>> true, you are probably fine.
>
> Note that research has shown

citation required

> that your first,

>> make sure that "https" is used

trivially easy after one adds the line
user_pref("browser.urlbar.trimURLs", false);
to user.js.

> second,

>> the domain name looks right

easier after one adds the line
user_pref("network.IDN_show_punycode", true);
to user.js & while not so easy on your first visit, trivially easy thereafter.

> third,
>> a "lock icon" appears

trivially easy

> and fourth options

>> the name of the organization seems correct

a problem on your _first_ visit.

> are all unreasonable requests of humans trying to be productive.

They wouldn't be so unreasonable if Mozilla had picked better defaults.

Lee

[Ryan Hurst]

I apologize, I originally wrote in haste and did not clearly state what I
was suggesting.

Specifically, while it is typical for a given jurisdiction (state, etc) to
require a name to be unique, it is typically not a requirement for it to
not be so unique that it can not be confused for another name. For example,
I have seen businesses registered with punctuation and without; I have also
seen non-latin characters in use in business names this clearly has the
potential to introduce name confusion.

Ryan

On Fri, Jun 1, 2018 at 11:55 PM, Matthew Hardeman <mhar...@gmail.com>
wrote:

>
>

> On Fri, Jun 1, 2018 at 10:28 AM, Ryan Hurst via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>>

>> re: Most of the government offices responsible for approving entity

>> creation are concerned first and foremost with ensuring that a unique name
>> within their jurisdiction is chosen
>>

[Jeremy Rowley]

Punctuation differences are not enough to register a name in the us, or at least in the jurisdictions here I’m aware of.

> On Jun 4, 2018, at 1:04 AM, Ryan Hurst via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> I apologize, I originally wrote in haste and did not clearly state what I
> was suggesting.
>
> Specifically, while it is typical for a given jurisdiction (state, etc) to
> require a name to be unique, it is typically not a requirement for it to
> not be so unique that it can not be confused for another name. For example,
> I have seen businesses registered with punctuation and without; I have also
> seen non-latin characters in use in business names this clearly has the
> potential to introduce name confusion.
>
> Ryan
>
> On Fri, Jun 1, 2018 at 11:55 PM, Matthew Hardeman <mhar...@gmail.com>
> wrote:
>
>>
>>
>> On Fri, Jun 1, 2018 at 10:28 AM, Ryan Hurst via dev-security-policy <
>> dev-secur...@lists.mozilla.org> wrote:
>>
>>>

>>> re: Most of the government offices responsible for approving entity

>>> creation are concerned first and foremost with ensuring that a unique name
>>> within their jurisdiction is chosen
>>>

>>> What makes you say that, most jurisdictions have no such requirement.
>>>
>>>
>> This was anecdotal, based on my own experience with formation of various
>> limited liability entities in several US states.
>>
>> Even my own state of Alabama, for example, (typically regarded as pretty
>> backwards) has strong policies and procedures in place for this.
>>
>> In Alabama, formation of a limited liability entity whether a Corporation
>> or LLC, etc, begins with a filing in the relevant county probate court of
>> an Articles of Incorporation, Articles or Organization, trust formation
>> documents, or similar. As part of the mandatory filing package for those
>> document types, a name reservation certificate (which will be validated by
>> the probate court) from the Alabama Secretary of State will be required.
>> The filer must obtain those directly from the appropriate office of the
>> Alabama Secretary of State. (It can be done online, with a credit card.
>> The system enforces entity name uniqueness.)
>>

[James Burton]

This company only cost £10. £6 for the incorporation. £4 for sending in
NE01 form to Companies House.

On Mon, 4 Jun 2018 at 08:58, Jeremy Rowley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Punctuation differences are not enough to register a name in the us, or at
> least in the jurisdictions here I’m aware of.
>
> > On Jun 4, 2018, at 1:04 AM, Ryan Hurst via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
> >
> > I apologize, I originally wrote in haste and did not clearly state what I
> > was suggesting.
> >
> > Specifically, while it is typical for a given jurisdiction (state, etc)
> to
> > require a name to be unique, it is typically not a requirement for it to
> > not be so unique that it can not be confused for another name. For
> example,
> > I have seen businesses registered with punctuation and without; I have
> also
> > seen non-latin characters in use in business names this clearly has the
> > potential to introduce name confusion.
> >
> > Ryan
> >
> > On Fri, Jun 1, 2018 at 11:55 PM, Matthew Hardeman <mhar...@gmail.com>
> > wrote:
> >
> >>
> >>
> >> On Fri, Jun 1, 2018 at 10:28 AM, Ryan Hurst via dev-security-policy <
> >> dev-secur...@lists.mozilla.org> wrote:
> >>
> >>>

> >>> re: Most of the government offices responsible for approving entity

> >>> creation are concerned first and foremost with ensuring that a unique
> name
> >>> within their jurisdiction is chosen
> >>>