CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 113 – Revision to QIIS in EV Guidelines(passes)

Ballot 113 – Revision to QIIS in EV Guidelines(passes)

Ballot 113 – Revision to QIIS in EV Guidelines

Voting ended on 13 January 2014. Quorum was 6 and 21 votes were cast-20 by CAs and 1 by Browsers. Twenty votes were in favor of the amendment. Izenpe abstained. Therefore, the ballot passes.

The following proposal comes from EV working group.

Jeremy Rowley made the following motion, and Rich Smith and Kirk Hall have endorsed it.

This ballot proposes a replacement to Section 11.10.5 of the Extended Validation Guidelines, which defines the qualifications of a QIIS. The previous QIIS definition did not accurately capture current CA practices. In fact, a strict reading of the existing definition might imply that CAs were prohibited from using Dun & Bradstreet, Hoovers, and other commercially reliable sources generally regarded as accurate sources of information. The proposed definition consolidates confusing and overlapping requirements while clarifying the QIIS verification requirements for CAs. The new definition permits CAs to use databases of information if the CA has documented its process to verify the data’s accuracy and the CA knows the information is not self-reported.

Motion begins

Effective immediately:

Replace Section 11.10.5 in the EV Guidelines:

11.10.5 Qualified Independent Information Source

A Qualified Independent Information Source (QIIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information. A commercial database is a QIIS if the following are true: (1) Industry groups rely on the database for providing accurate location or contact information; (2) The database distinguishes between self-reported data and data reported by independent information sources; (3) The database provider identifies how frequently they update the information in their database; (4) Changes in the data that will be relied upon will be reflected in the database in no more than 12 months; and (5) The database provider uses authoritative sources independent of the Subject, or multiple corroborated sources, to which the data pertains. Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest do not qualify as a QIIS. The CA MUST check the accuracy of the database and ensure its data is acceptable.

With the following proposed language for Section 11.10.5:

11.10.5 Qualified Independent Information Source

A Qualified Independent Information Source (QIIS) is a regularly updated and publicly available database that is generally recognized as a dependable and accurate source for certain information. A database qualifies as a QIIS if the CA determines that: (1) Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and (2) The database provider updates its data on at least an annual basis. The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider’s terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is (i) self-reported and (ii) not verified by the QIIS as accurate. Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS.

Motion ends

The review period for this ballot shall commence immediately at 2300 UTC on 30 December 2013 and will close on 6 January 2014. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2300 UTC on 13 January 2014. Votes must be cast by posting an on-list reply to this thread. A vote in favor of the ballot must indicate a clear ‘yes’ in the response. A vote against the ballot must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: /about/membership/members/ In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and more than one half of the votes cast by members in the browser category must be in favor. Quorum is currently six (6) members– at least six members must participate in the ballot, either by voting in favor, voting against, or by abstaining for the vote to be valid.

See

EV SSL Certificate Guidelines Version 1.4.4 (Redlined)

EV SSL Certificate Guidelines Version 1.4.4

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).