[Servercert-wg] Registration Numbers
jeremy.rowley at digicert.com
Tue Sep 17 15:11:10 MST 2019
That's probably the simplest solution, but then you have this weird language about Registration Agency in 9.2.5. It'd leave an ambiguity as to how you'd ever have a Registration Agency if Registration Number's can only come from Incorporating Agencies. I'd propose removing both "or similar" and "Registration Agency" from Section 9.2.5 or Private Organizations. Then the Registration Number for Private organizations is always related to the incorporation/formation information.
From: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Sent: Tuesday, September 17, 2019 4:07 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: RE: Registration Numbers
Registration Number is a defined term in the EVGL:
Registration Number: The unique number assigned to a Private Organization by the Incorporating Agency in such entity's Jurisdiction of Incorporation.
That seems pretty clear. I'm not sure why we used the phrase "the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency" in EVGL 9.2.5 - perhaps we were concerned that some government registries might call it by other names, like serial number, corporation number, etc.
Maybe the simplest solution if you think this is an issue worth addressing is just to delete the phrase "(or similar)" from EVGL Sec. 9.2.5.
From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Jeremy Rowley via Servercert-wg
Sent: Tuesday, September 17, 2019 2:39 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: [EXTERNAL][Servercert-wg] Registration Numbers
There's some unclear language governing registration numbers in EV certificates that allows nearly anything to be included.
Section 9.2.5 requires:
For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats.
A Registration Agency is defined as a Governmental Agency that registers business information in connection with an entity's business formation or authorization to conduct business under a license, charter or other certification.
A VAT is a license. So is a business license. So is a health code document, a food handlers permit, and SEC filling, and similar documents. These are also certifications under which I do business. This pretty much allows everything to be used as a document that can be asserted in a certificate. Although some of these are extremes, others (VAT, FEIN, SEC registration) are less clear on whether they could be used as a registration number. I believe the intent is that the number should be the number assigned during the company's creation/formation. This is supported by the definition of "Registration Number" (which is the unique number assigned by the Incorporating Agency) but the section says the information could contain the number provided by the Registration Agency (i.e the "registration number"). However, this definition is contradictory to the requirements of that section causing confusion between a "Registration Number" and a "registration number" (the number from a Registration Agency).
We could enhance this part of the EV guidelines greatly by clarifying this section to only permit Registration Numbers assigned by Incorporating Agencies and clarifying Incorporating Agencies as those entities responsible for registering a company's formation/charter/creation.
If we eliminate/consolidate the Registration Agency and Incorporating Agency framework, we'll end up with a simpler set of guidelines and capture what I think was the original intent - that the companies need to be verified with the entity responsible for their formation, not just an original filling. At the same time, we can fix the hole in the guidelines to identify in the certificate the entity responsible for the formation. Doing so would allow the relying parties to easily determine where the entity operating the certificate originated.
Interesting side note. We do know there are some jurisdictions that use the VAT as the registration number. In this case you go and register for VAT then take the VAT number to the registration office who assigns you the identical number as your registration ID. In that case, the registration number is actually the number assigned by the incorporating agency, which just so happens to be the same as the VAT.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg