Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LEI Ballot #139

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

LEI Ballot #139

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
262241c
Update BR.md
timfromdigicert Feb 26, 2018
e9e473e
"Request Value" -> "Random Value"
timfromdigicert Mar 5, 2018
b44c918
Fix references in 7.1.5(c)
wthayer Apr 18, 2018
4d5736b
Merge pull request #1 from wthayer/patch-2
timfromdigicert May 2, 2018
22266f1
Merge pull request #2 from cabforum/master
timfromdigicert Jun 27, 2019
3dc8410
Merge pull request #3 from cabforum/master
timfromdigicert Jul 10, 2019
860cae7
Merge pull request #4 from cabforum/master
timfromdigicert Jul 25, 2019
e99e65f
Update EVG.md
timfromdigicert Jul 26, 2019
32328c2
Update EVG.md
timfromdigicert Aug 16, 2019
97983ec
Update BR.md
timfromdigicert Aug 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions docs/EVG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,10 @@ Capitalized Terms are defined in the Baseline Requirements except where provided

**Extended Validation Certificate:** See EV Certificate.

**Global Legal Entity Identifier Foundation:** Established by the Financial Stability Board in June 2014, the Global Legal Entity Identifier Foundation (GLEIF) is tasked to support the implementation and use of the Legal Entity Identifier (LEI). The foundation is backed and overseen by the LEI Regulatory Oversight Committee, representing public authorities from around the globe that have come together to jointly drive forward transparency within the global financial markets. GLEIF is a supra-national not-for-profit organization headquartered in Basel, Switzerland.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of this marketing copy is necessary. This provides no definitional value, especially for the purpose of the EVGs.

Suggestion: Delete Entirely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least a significant portion of it is factual information. I'm not sure that deleting all of it actually helps anything.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be factual, but it's entirely irrelevant in order to implement or comply with the EVGs.


**Global Legal Entity Identifier Index:** The Global Legal Entity Identifier (LEI) Index contains historical and current LEI records including related reference data in one authoritative, central repository. The reference data provides the information on a legal entity identifiable with an LEI.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also marketing copy, and can/should be deleted. It does not disambiguate in any meaningful sense, which is normally what these definitions should be used for.


**Government Agency:** In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of Private Organizations is established (e.g., the government agency that issued the Certificate of Incorporation). In the context of Business Entities, the government agency in the jurisdiction of operation that registers business entities. In the case of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities.

**Guidelines:** This document.
Expand All @@ -200,6 +204,8 @@ Capitalized Terms are defined in the Baseline Requirements except where provided

**Legal Entity**: A Private Organization, Government Entity, Business Entity, or Non-Commercial Entity.

**Legal Entity Identifier**: The Legal Entity Identifier (LEI) is a 20-character, alpha-numeric code based on the ISO 17442 standard developed by the International Organization for Standardization (ISO). It connects to key reference information that enables clear and unique identification of legal entities participating in financial transactions. Each LEI contains information about an entity’s ownership structure and thus answers the questions of 'who is who’ and ‘who owns whom’.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly, marketing copy is included here.

This part is wholly unnecessary, because the only salient piece of definitional requirement, namely that it complies with ISO17442, is duplicated in the actual normative requirement.

Suggestions:

  1. Delete this text entirely
  2. Meaningfully define it. What are the salient bits? Possible answers include:
  • Complies with the format set forth in ISO 17442
  • Assigned by an entity approved entity
    • For example, if the intent is that it complies with the LEI Regulatory Oversight Committee's requirements and uses an LOU recognized by the LEI ROC, then let's try to find out how to say that.
    • Alternatively, it might mean assigned by an LOU accredited by GLEIF


**Legal Existence:** A Private Organization, Government Entity, or Business Entity has Legal Existence if it has been validly formed and not otherwise terminated, dissolved, or abandoned.

**Legal Practitioner:** A person who is either a lawyer or a Latin Notary as described in these Guidelines and competent to render an opinion on factual claims of the Applicant.
Expand Down Expand Up @@ -276,10 +282,12 @@ Abbreviations and Acronyms are defined in the Baseline Requirements except as ot
|CPA |Chartered Professional Accountant|
|CSO |Chief Security Officer|
|EV |Extended Validation|
|GLEIF |Global Legal Entity Identifier Foundation|
|gTLD |Generic Top-Level Domain|
|IFAC |International Federation of Accountants|
|IRS |Internal Revenue Service|
|ISP |Internet Service Provider|
|LEI |Legal Entity Identifier|
|QGIS |Qualified Government Information Source|
|QTIS |Qualified Government Tax Information Source|
|QIIS |Qualified Independent Information Source|
Expand Down Expand Up @@ -1864,3 +1872,20 @@ guidelines:
jurisdiction as specified in Section 9.2.4. The stated address of the organisation
combined with the organization name SHALL NOT be the only information used to
disambiguate the organisation.

**LEI**: The Legal Entity Identifier (LEI) as specified in the ISO 17442 and registered
in the Global LEI Index.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it's ambiguous here as to what "registered in the Global LEI Index" means. It implies that an accredited-by-GLEIF LOU can withhold data from the Global LEI System, and thus some additional requirement is required.

If the changes to LEI are made within the definitions (e.g. does it have to be an LEI defined by an LOU accredited by GLEIF/the LEI ROC), then I think this entire first sentence may be unnecessary.

Alternatively, if we want to avoid normative requirements within the definition, such that LEI is merely the number that conforms to ISO 17442, then this is where we'd introduce the requirement that the LEI be issued by an LOU recognized by the Global Legal Entity Identifier Foundation.

No definition for "who" the foundation is is necessary.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We certainly do want to avoid normative requirements within definitions. That's always a bad idea. Also, while I don't think it's actually possible for an LOU to issue an LEI that isn't in the Global LEI Index (holding all the LEIs is pretty much the point of the index), in the event that it is possible, I don't think we'd want to recognize them, as they were likely issued in error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Different specs take different approaches with respect to definitions. To date, the BRs and the EVGs have fundamentally placed normative requirements within definitions, because many of the normative requirements themselves depend on the definitions. So I don't agree that it's always a bad idea.

Basically, I think we can get away from this potential confusion by indicating that an LEI, in terms of definition, is an Legal Entity Identifier that was issued by an LOU accredited by GLIEF (assuming I got the terms right), and then this all flows out of that (registered in the index, complies with ISO 17442, etc)


1. This information SHALL be validated by matching the organization name and
registration number found in the Global LEI Index against the Subject Organization
Name Field (see 9.2.1) and Subject Registration Number Field (see 9.2.5) within the
context of the subject’s jurisdiction as specified in Section 9.2.4.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's completely undefined here what "matching" means, and this is where I wanted to flesh out more comprehensive normative requirements.

Before including an LEI within a certificate, the CA SHALL

  • Confirm that the ValidationSources field of the associated LEI record, as reported by GLEIF, contains FULLY_CORROBORATED
  • That the RegistrationAuthority of the associated LEI Record is the same entity as the Incorporating Agency or Registration Agency used in validating the information within the Subject Jurisdiction of Incorporation or Registration Field (see Section 9.2.4) and the Subject Registration Number Field (see Section 9.2.5)
  • That the Subject Organization Name Field (see Section 9.2.1) is contained, exactly as entered, within either the LegalName, OtherEntityNames, or TransliteratedOtherEntityNames of the associated LEI Record
  • That the Subject Registration Number (see Section 9.2.5) is equal, exactly as entered, to the RegistrationAuthorityEntityID of the associated LEI Record

That said, I'm concerned about whether or not we need to worry about the Registration Details - in particular, the registration status - e.g. should a lapsed or canceled LEI Registration be used? What about challenges to the data source? Should we worry about the LegalJursidiction code and matching it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bullet points look fine to me.

I'd be fine with disallowing lapsed or canceled registrations.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be great if you could get the GLIEF folks to provide a bit of context (here, or to the questions@ list) about the state flow. Maybe I missed it on gleif.org

Basically, I want to make sure we've got an allowlist in place for what makes a "good" LEI, and the inter-relationship between the states means I'm not too confident I fully understand it. But it sounds like that sounds good to you, and so perhaps we should sync up with them to nail this down?


2. The address information SHALL be compared in order to detect potential
matching errors or errors in the registration information. If errors are found,
they SHALL be reported to the GLEIF Foundation and/or relevant registration
authority.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm actually not a fan of this. I think, if anything, any matching errors should PREVENT the CA from issuing such a certificate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd be fine with removing this. It was actually suggested by another CA.


3. The CA SHALL verify that the ValidationSources field of the associated
LEI record contains FULLY_CORROBORATED before including an LEI in a Certificate
using this scheme.