[Servercert-wg] Registration Numbers
jeremy.rowley at digicert.com
Tue Sep 17 14:38:39 MST 2019
There's some unclear language governing registration numbers in EV certificates that allows nearly anything to be included.
Section 9.2.5 requires:
For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats.
A Registration Agency is defined as a Governmental Agency that registers business information in connection with an entity's business formation or authorization to conduct business under a license, charter or other certification.
A VAT is a license. So is a business license. So is a health code document, a food handlers permit, and SEC filling, and similar documents. These are also certifications under which I do business. This pretty much allows everything to be used as a document that can be asserted in a certificate. Although some of these are extremes, others (VAT, FEIN, SEC registration) are less clear on whether they could be used as a registration number. I believe the intent is that the number should be the number assigned during the company's creation/formation. This is supported by the definition of "Registration Number" (which is the unique number assigned by the Incorporating Agency) but the section says the information could contain the number provided by the Registration Agency (i.e the "registration number"). However, this definition is contradictory to the requirements of that section causing confusion between a "Registration Number" and a "registration number" (the number from a Registration Agency).
We could enhance this part of the EV guidelines greatly by clarifying this section to only permit Registration Numbers assigned by Incorporating Agencies and clarifying Incorporating Agencies as those entities responsible for registering a company's formation/charter/creation.
If we eliminate/consolidate the Registration Agency and Incorporating Agency framework, we'll end up with a simpler set of guidelines and capture what I think was the original intent - that the companies need to be verified with the entity responsible for their formation, not just an original filling. At the same time, we can fix the hole in the guidelines to identify in the certificate the entity responsible for the formation. Doing so would allow the relying parties to easily determine where the entity operating the certificate originated.
Interesting side note. We do know there are some jurisdictions that use the VAT as the registration number. In this case you go and register for VAT then take the VAT number to the registration office who assigns you the identical number as your registration ID. In that case, the registration number is actually the number assigned by the incorporating agency, which just so happens to be the same as the VAT.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg