Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
EV Jurisdiction of Incorporation
247 views
Skip to first unread message
Jeremy Rowley
Sep 11, 2019, 5:59:57 PM9/11/19
to mozilla-dev-s...@lists.mozilla.org
Hi Everyone,
One of my goals at DigiCert is provide greater transparency. One of the ideas I’ve kicked around is community-drive EV or EV transparency. To start that off, I thought I’d share the sources we use verification of the jurisdiction of incorporation/registration here. This list is available here https://www.digicert.com/legal-repository/ (direct: https://www.digicert.com/wp-content/uploads/2019/09/DigiCert-Approved-Incorporating-Agencies.xlsx). Sharing this was suggested from the community and the digicert leadership team thought it was a great idea. Not only does it get community feedback on the sources we use (or shouldn’t use), but it may identify sources that other CAs could use to do the verification. The idea is we could build a definitive master list that the CAB forum could use for verification of EV. This would further standardize EV. If we start including a reference to the source, then someone could easily verify the accuracy of the information and the identity of an organization. This would solve a major headache I’ve had with EV – you can’t see where the JOI information originates.
For reference, section 8.5.2 requires a CA to verify the legal existence of an entity through “a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument)”. This is far broader than an incorporating agency, but we use incorporating agencies as the primary source, and we’re working to eliminate sources like SEC. This source list combines information from primary and secondary sources (both incorporating and registration sources).
Sharing this kind of information helps us get to the end-goal of a more transparent EV ecosystem and builds a more community-driven EV practice. I’m looking forward to your feedback. Also, let me know if this is interesting, and what else you’d like to see.
Thanks!
Jeremy
One of my goals at DigiCert is provide greater transparency. One of the ideas I’ve kicked around is community-drive EV or EV transparency. To start that off, I thought I’d share the sources we use verification of the jurisdiction of incorporation/registration here. This list is available here https://www.digicert.com/legal-repository/ (direct: https://www.digicert.com/wp-content/uploads/2019/09/DigiCert-Approved-Incorporating-Agencies.xlsx). Sharing this was suggested from the community and the digicert leadership team thought it was a great idea. Not only does it get community feedback on the sources we use (or shouldn’t use), but it may identify sources that other CAs could use to do the verification. The idea is we could build a definitive master list that the CAB forum could use for verification of EV. This would further standardize EV. If we start including a reference to the source, then someone could easily verify the accuracy of the information and the identity of an organization. This would solve a major headache I’ve had with EV – you can’t see where the JOI information originates.
For reference, section 8.5.2 requires a CA to verify the legal existence of an entity through “a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument)”. This is far broader than an incorporating agency, but we use incorporating agencies as the primary source, and we’re working to eliminate sources like SEC. This source list combines information from primary and secondary sources (both incorporating and registration sources).
Sharing this kind of information helps us get to the end-goal of a more transparent EV ecosystem and builds a more community-driven EV practice. I’m looking forward to your feedback. Also, let me know if this is interesting, and what else you’d like to see.
Thanks!
Jeremy
Ryan Sleevi
Sep 11, 2019, 8:55:39 PM9/11/19
to Jeremy Rowley, mozilla-dev-s...@lists.mozilla.org
Thanks Jeremy,
This is great. I filed https://github.com/mozilla/pkipolicy/issues/188
because this seems like something that can be reused and perhaps even
required by policy.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
This is great. I filed https://github.com/mozilla/pkipolicy/issues/188
because this seems like something that can be reused and perhaps even
required by policy.
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
0 new messages