On Fri, Aug 23, 2019 at 4:37 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> >> 1. I believe the BRs and/or underlying technical standards are very
> clear if the ST field should be a full name ("California") or an
> abbreviation ("CA").
>
> This is only true of the EV guidelines and only for Jurisdiction of
> Incorporation. There is no formatting requirement for place of business. I
> think requiring a format would help make the data more useful as you could
> consume it easier en masse.
>
> >> 2. The fact that a country has subdivisions listed in the general ISO
> standard for country codes doesn't mean that those are always part of
> the jurisdiction of incorporation and/or address.
>
> Right. For the EV Guidelines, what matters is the Jurisdiction of
> Registration or Jurisdiction of Incorporation as that is what is used to
> determine the Jurisdiction of Incorporation/Registration information,
> including what goes into the Registration Number Field.
>
> Incorporating Agency is defined as: In the context of a Private
> Organization, the government agency in the Jurisdiction of
> Incorporation under whose authority the legal existence of the entity is
> registered (e.g., the government agency that issues
> certificates of formation or incorporation). In the context of a
> Government Entity, the entity that enacts law, regulations, or
> decrees establishing the legal existence of Government Entities
>
> Registration Agency: A Governmental Agency that registers business
> information in connection with an entity's business
> formation or authorization to conduct business under a license, charter or
> other certification. A Registration Agency MAY
> include, but is not limited to (i) a State Department of Corporations or a
> Secretary of State; (ii) a licensing agency, such as a
> State Department of Insurance; or (iii) a chartering agency, such as a
> state office or department of financial regulation,
> banking or finance, or a federal agency such as the Office of the
> Comptroller of the Currency or Office of Thrift
> Supervision
>
> This is broad. IMO we should reduce it to be the number listed on the
> certificate of formation/incorporation so there is consistency to what the
> registration means. We should also identify in the certificate the source
> of the registration number as it provides information to relying parties
> about the actual organization.
>
It's less broad when you also include the additional (included by
reference) definition for Government Agency
Government Agency: In the context of a Private Organization, the government
agency in the Jurisdiction of Incorporation
under whose authority the legal existence of Private Organizations is
established (e.g., the government agency that issued
the Certificate of Incorporation). In the context of Business Entities, the
government agency in the jurisdiction of operation
that registers business entities. In the case of a Government Entity, the
entity that enacts law, regulations, or decrees
establishing the legal existence of Government Entities.
So, for example, a Private Organization who registers with multiple
entities frequently will only obtain the Certificate of Incorporation from
a single one of those entities, reducing some of the ambiguity and
confusion.
That said, I agree, we should better clarify the expectations by moving to
a per-Jurisdiction allowlist of such organizations. This would also allow
creating and assigning codes to those entities, allowing is to supplant or
replace the existing Jurisdiction information with that entity code, which
would then unambiguously identify those attributes.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
