CA/Browser Forum
Home » Posts » Ballot 147 – Attorney Accountant Letter Changes

Ballot 147 – Attorney Accountant Letter Changes

Ballot 147 – Attorney-Accountant Letter Changes

Voting on Ballot 147 has closed. Here are the results:

From CA’s, we received 15 YES votes, 0 NO votes and 3 ABSTAIN votes

From Browsers, we received 1 YES vote, 0 NO votes and 0 ABSTAIN votes

The quorum has been met and the ballot passes.

Reason for Ballot

This is a validation working group final product that will amend the EV Guidelines to permit verification of legal existence through an attorney/accountant opinion letter. This change is based on the rationale that attorneys are the most skilled at verifying legal existence, yet are currently not permitted to do so. To ensure that a single legal letter is not the sole source of validation, language was included to require corroboration with a QIIS. Kirk Hall of TrendMicro made the following motion, Cecilia Kam from Symantec and Jeremy Rowley from DigiCert have endorsed it.

Motion Begins

  1. Add the following definition: Verified Professional Letter: A Verified Accountant Letter or Verified Legal Opinion.
  2. Amend the guidelines as follows: 11.2. Verification of Applicant’s Legal Existence and Identity 11.2.2. Acceptable Method of Verification To verify the Applicant’s legal existence and identity, the CA MUST do the following. (1) Private Organization Subjects: Unless verified under subsection (6), all items listed in Section 11.2.1(1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. (2) Government Entity Subjects: Unless verified under subsection (6), all items listed in Section 11.2.1(2) MUST either be verified directly with, or obtained directly from, one of the following: (i) a Qualified Government Information Source in the political subdivision in which such Government Entity operates; (ii) a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or (iii) from a judge that is an active member of the federal, state or local judiciary within that political subdivision~~, or (iv) an attorney representing the Government Entity~~. Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in Section 11.11.1. Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. (3) Business Entity Subjects: Unless verified under subsection (6), items listed in Section 11.2.1(3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant’s Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, email, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. *** (5) Non-Commercial Entity Subjects (International Organization): Unless verified under subsection (6), all items listed in Section 11.2.1(4) MUST be verified either: (A) With reference to the constituent document under which the International Organization was formed; or (B) Directly with a signatory country’s government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country’s government has a mission to represent it at the International Organization; or (C) Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. (D) In cases where the International Organization applying for the EV Certificate is an organ or agency – including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. (6) The CA may rely on a Verified Professional Letter to establish the Applicant’s information listed in (1)-(5) above if (i) the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant’s legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and (ii) the CA confirms the Applicant’s organization name specified in the Verified Professional Letter with a QIIS or QGIS. *** 11.3. Verification of Applicant’s Legal Existence and Identity – Assumed Name 11.3.2. Acceptable Method of Verification

To verify any assumed name under which the Applicant conducts business: (1) The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant’s Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or (2) The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. (3) The CA MAY rely on a Verified Professional Letter Verified Legal Opinion, or a Verified Accountant Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. 11.4. Verification of Applicant’s Physical Existence 11.4.1. Address of Applicant’s Place of Business *** (2) Acceptable Methods of Verification (A) Place of Business in the Country of Incorporation or Registration *** (2) For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter Verified Legal Opinion or a Verified Accountant Letter that indicates the address of the Applicant’s or a Parent/Subsidiary Company’s Place of Business and that business operations are conducted there. *** (B) Place of Business not in the Country of Incorporation or Registration: The CA MUST rely on a Verified Professional LetterVerified Legal Opinion or Verified Accountant’s Letter that indicates the address of the Applicant’s Place of Business and that business operations are conducted there. 11.4.2. Telephone Number for Applicant’s Place of Business (2) Acceptable Methods of Verification: To verify the Applicant’s telephone number, the CA MUST perform items A and either B or C as listed below: *** (C) Rely on a Verified Professional Letter Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant’s telephone number, as provided, is a main phone number for the Applicant’s Place of Business.

[Note: Section 11.5 – Verified Method of Communication – was added by Ballot 131 and all subsequent sections were incremented by 1]

11.6. Verification of Applicant’s Operational Existence 11.6.2. Acceptable Methods of Verification To verify the Applicant’s ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: (4) Relying on a Verified Professional Letter Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver 11.8.2. Acceptable Methods of Verification – Name, Title and Agency Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. (1) Name and Title: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. (2) Agency: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: (A) Contacting the Applicant by phone or mail, at the phone number or address for the Applicant, obtained and verified in accordance with Section 11.4.1 or 11.4.2, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; or (B) Obtaining an Independent Confirmation From the Applicant (as described in Section 11.10.4), or a Verified Professional Letter Verified Legal Opinion (as described in Section 11.10.1), or a Verified Accountant Letter (as described in Section 11.10.2) verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant. 11.8.3. Acceptable Methods of Verification – Authority Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: (1) Verified Professional Letter Legal Opinion: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter Verified Legal Opinion (as described in Section 11.10.1); *** (2) Accountant Letter: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Accountant Letter (as described in Section 11.10.2);

[Note: Subsequent subsections (3) through (8) of section 11.8.3 were renumbered.]

[Note: In 11.11.4 (Independent Confirmation from Applicant), subsection (1)(B)(i)(2) the phrase”Verified Legal Opinion, or Verified Accountant Letter” was also replaced with “Verified Professional Letter”.] 11.12. Other Verification Requirements 11.12.3. Parent/Subsidiary/Affiliate Relationship A CA verifying an Applicant using information of the Applicant’s Parent, Subsidiary, or Affiliate, when allowed under section 11.4.1, 11.4.2, 11.5.1, or 11.6.1, MUST verify the Applicant’s relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant’s relationship to the Parent, Subsidiary, or Affiliate include the following: *** (4) Verified Professional Letter Legal Opinion: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter Verified Legal Opinion (as described in Section 11.10.1); (5) Accountant Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Accountant Letter (as described in Section 11.10.2);

[Note: Subsection (6) was renumbered to subsection (5).]

Motion Ends

The review period for this ballot shall commence at 2200 UTC on Thursday, 11 June 2015, and will close at 2200 UTC on Thursday, 18 June 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Thursday, 25 June 2015. Votes must be cast by posting an on-list reply to this thread. A vote in favor of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: /about/membership/members/ In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Also, at least seven members must participate in the ballot, either by voting in favor, voting against, or abstaining.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).