Hello all,Authentication of organization identity involves the collection of some attributes and their validation. To collect these attributes, a CA typically queries a reliable third-party source, e.g. the business register of the relevant country. Among the attributes that can be found in these sources there is normally also the /operational status /of the company, such as e.g. ACTIVE or CEASED.
To me, it seems logical that a certificate should not be issued to a ceased company, but this is not specified in the SMBR. I believe we should specify it.
In the current SMBR, the entity status is required to be ACTIVE only in the particular case of inserting an LEI reference in the certificate (which is not mandatory), but not in the more general case. Perhaps an oversight?
A company that has gone out of business (e.g. in liquidation) may still "exist" in a certain way for some time (you can still check any other data regarding it, in the company registry), but it is still a defunct company to which in my opinion, a certificate should not be issued. I can imagine that someone will have a different opinion and say that there is no problem in issuing a certificate to a company in liquidation. But then, I see no reason why we require the entity status to be ACTIVE "If an LEI data reference is used".
I therefore propose to include a clarification in the SMBRs (possibly in section 3.2.3.1) that the operational status of the company is one of the attributes to be collected, and that it must be ACTIVE (or the equivalent according to the terminology of the relevant country), regardless of whether a LEI reference is used or not in the certificate.
Adriano PS: In my opinion, this also affects the BRs and the CSBRs.
smime.p7s
Description: Firma crittografica S/MIME
_______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public
