CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 126 – Operational Existence (passed)

Ballot 126 – Operational Existence (passed)

Voting on Ballot 126 closed on 24 July 2014. Voting in favor were Comodo, DigiCert, Network Solutions, QuoVadis, Symantec, Trend Micro, WoSign, and Mozilla. Visa abstained. Quorum was met and Ballot 126 passed, resulting in EV SSL Certificate Guidelines Version 1.5.0.

Ballot 126 – Operational Existence

Jeremy Rowley of Digicert made the following motion and Cecilia Kam of Symantec and Doug Beattie of GlobalSign have endorsed it:

Reason(s) for Ballot 126:** Problem**(s)** **with Current Wording

A – Section 11.5 is unclear, as evidenced by the need to restate that requirement with an additional sentence

B – Section 11.5 begins with the word “If” – making it appear conditional rather than mandatory

C – Section 11.5 does not follow the framework used elsewhere in Section 11 of the EV Guidelines. The framework is: (1) state the requirement and (2) state the acceptable methods of meeting that requirement.

D – Section 11.5 could be edited to help clarify the relationship between “ability to engage in business” and “operational existence” for purposes of the EV Guidelines

Approach Used in Ballot 126 to Address the Problem

Language is removed from the requirements section (section 11.5.1) and placed in the acceptable methods section (section 11.5.2) so that section 11.5.1 simply says, “The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant’s, or Affiliate/Parent/Subsidiary Company’s, operational existence.”

Section 11.5.2 would begin, “To verify the Applicant’s ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: ….” The current introduction to section 11.5.2 only refers to “operational existence” and not “an ability to engage in business”. An “ability to engage in business” is added to section 11.5.2 to keep it congruent with section 11.5.1.

Section 11.5.2:

(1) Three-year existence in subsection 11.5.2(1) comes from moving it down from section 11.5.1.

(2) QIIS/QTIS listing in subsection 11.5.2(2) also comes down from section 11.5.1.

Subsection (3) consists of wording changes to maintain parallelism throughout sections 11.5.1 and 11.5.2.

The word “or” between subsections (3) and (4) does not make section 11.5.2 any different substantively from how sections 11.5.1 and 11.5.2 currently exist.

Subsection (4) is essentially the same.

Additional Support for Approach Taken / Words Used in Ballot 126

Section 11.5 is meant to address operational existence. In drafting the original language, members of the Forum knew that it would be too hard to presumptively establish that an organization was “actually doing business,” but there was a desire to retain a requirement and method to establish that an organization had more than just a legal existence and physical address, and they settled on the concept of “an ability to do business”.

–Motion Begins

  1. DELETE Section 11.5.1 (Verification Requirements) of the EV Guidelines and INSERT the following:

11.5.1. Verification Requirements

The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant’s, or Affiliate/Parent/Subsidiary Company’s, operational existence.

  1. DELETE Section 11.5.2 (Verification Requirements) of the EV Guidelines and INSERT the following:

11.5.2. Acceptable Methods of Verification

To verify the Applicant’s ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by:

(1) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency;

(2) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS;

(3) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant’s, Affiliate’s, Parent Company’s, or Subsidiary Company’s Demand Deposit Account directly from a Regulated Financial Institution; or

(4) Relying on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution.

–Motion Ends The review period for this ballot shall commence at 2200 UTC on Thursday, July 10, 2014, and will close at 2200 UTC on Thursday, July 17, 2014.

Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Thursday, July 24, 2014. Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear ‘yes’ in the response.

A vote against must indicate a clear ‘no’ in the response.

A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Voting members are listed here:

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and more than one half of the votes cast by members in the browser category must be in favor. Quorum is currently seven (7) members– at least seven members must participate in the ballot, either by voting in favor, voting against, or by abstaining for the vote to be valid.

PDFs –

Ballot-126-redlined

Ballot-126-wo_redline 

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).