[Please note that the way MS Outlook marks quoted text doesn't work well
with Mozilla mail programs].
On 23/08/2019 22:37, Jeremy Rowley wrote:
>> 1. I believe the BRs and/or underlying technical standards are very
>> clear if the ST field should be a full name ("California") or an
>> abbreviation ("CA").
>
> This is only true of the EV guidelines and only for Jurisdiction of
> Incorporation. There is no formatting requirement for place of business.
> I think requiring a format would help make the data more useful as you
> could consume it easier en masse.
>
X.520 (10/2012) says this:
6.3.3 State or Province Name
The State or Province Name attribute type specifies a state or province.
When used as a component of a directory name, it identifies a geographical
subdivision in which the named object is physically located or with which
it is associated in some other important way.
An attribute value for State or Province Name is a string, e.g., S = "Ohio".
stateOrProvinceName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX UnboundedDirectoryString
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"st"}
ID id-at-stateOrProvinceName }
The Collective State or Province Name attribute type specifies a state or
province name for a collection of entries.
collectiveStateOrProvinceName ATTRIBUTE ::= {
SUBTYPE OF stateOrProvinceName
COLLECTIVE TRUE
ID id-at-collectiveStateOrProvinceName }
[End of X.520 section 6.3.3]
For the location, (L and street attributes), X.520 is quite vague, but
for the remarkably similar "postalAddress" attribute is defined in terms
of the F.401 specification.
>> 2. The fact that a country has subdivisions listed in the general ISO
>> standard for country codes doesn't mean that those are always part of
>> the jurisdiction of incorporation and/or address.
>
> Right. For the EV Guidelines, what matters is the Jurisdiction of
> Registration or Jurisdiction of Incorporation as that is what is used> to
> determine the Jurisdiction of Incorporation/Registration information,
> including what goes into the Registration Number Field.
As I mentioned, these are issues seen with other CAs blindly importing
ISO 3166-2 into their systems. For example one CA recently insisted
that we filled the ST field with the equivalent of a county, because
there was a political desire to eliminate having elected officials at
the equivalent of state level, so someone in government probably went
ahead and submitted an update to 3166-2 presuming success of that
effort.
>
> Incorporating Agency is defined as: In the context of a Private
> Organization, the government agency in the Jurisdiction of
> Incorporation under whose authority the legal existence of the entity
> is registered (e.g., the government agency that issues certificates
> of formation or incorporation). In the context of a Government Entity,
> the entity that enacts law, regulations, or decrees establishing the
> legal existence of Government Entities
>
> Registration Agency: A Governmental Agency that registers business
> information in connection with an entity's business formation or
> authorization to conduct business under a license, charter or other
> certification. A Registration Agency MAY include, but is not limited
> to (i) a State Department of Corporations or a Secretary of State;
> (ii) a licensing agency, such as a State Department of Insurance; or
> (iii) a chartering agency, such as a state office or department of
> financial regulation, banking or finance, or a federal agency such
> as the Office of the Comptroller of the Currency or Office of Thrift
> Supervision
>
> This is broad. IMO we should reduce it to be the number listed on the>
> certificate of formation/incorporation so there is consistency to what
> the registration means. We should also identify in the certificate the
> source of the registration number as it provides information to relying
> parties about the actual organization.
For most of the non-default numbering sources, the addition made in EVG
1.7.0 appears to provide this. Ideally, this should leave us with
exactly one number-authority for each jurisdiction, org type and number
format, subject of cause to random changes in local legislation and/or
government practice.
For my example of C=DK, the numbering system for government entities has
changed multiple times in recent decades. In the 1970s there was only
some tiny numbering systems such as 3 digit county numbers found in some
obscure government records. In the early 2000s it was decreed that all
billing of government customers at all levels should use an XML format
that identified each sub-entity by an EAN number (as in the 13 digit
number system for product barcodes!), which was subsequently changed to
many of the larger entities instead getting numbers from the companies
registry (currently up to 8 digits, with older registrants having
shorter numbers). However there is an online database for mapping
numbers in both systems to entity names (but not the other way!), and
of cause the full searchability of the companies database.
>
>> 3. The fact that a government data source lists the incorporation
>> locality of a company, doesn't mean that this locality detail is
>> actually a relevant part of the jurisdictionOfIncorporation. This
>> essentially depends if the rules in that country ensure uniqueness of
>> both the company number and company name at a higher jurisdiction
>> level (national or state) to the same degree as at the lower level.
>> For example, in the US the company name "Stripe" is not unique
>> nationwide.
>
> Right - this depends on where the formation/registration occurs. That's
> captured in the EV guidelines.
>
Unfortunately, there is no consistent mapping between the general words
of the EVG and the variable practice of various governments.
Again for C=DK, there is an old tradition that incorporation paperwork
states the county of incorporation, even though for many decades now the
registration is actually done in country level computer systems, that
capture the text of that paperwork. Thus someone reading the wording of
company bylaws, would assume all companies are registered and incorporated
at the county level, because the bylaws will usually not even mention the
country (or the registration number, as the initial bylaws must be
submitted to get a number).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
