Widening the scope of best practice for LEIs for SSL/TLS identity

29 May Widening the scope of best practice for LEIs for SSL/TLS identity

“Legislation” & “Regulation” are often cited as the primary reasons for growth behind any initiative.  Whilst “Best Practice” also always has a free ticket to the party, it’s very unusual for it to be on centre stage – unless that is that the audience are themselves legislators and regulators.  This is where best practice makes most impact, but there needs to be a spark/catalyst to initiate the gathering and subsequently follow to conclusion, rather than let the opportunity simply fizzle out.

I attended last week’s Identity Workshop (https://id-workshop.gleif.org/) where the GLEIF (Global Legal Entity Identifier Foundation) played their initial role to perfection allowing stakeholders in attendance to continue with the follow up.  The GLEIF were joined by members of the LEI Regulatory Oversight Committee (LEI ROC), and representatives from many industries for a workshop on the topics of “identity management for legal entities, the role of the Legal Entity Identifier (LEI) in customer and supplier relationship management, and the impact of emerging digital solutions”

When myself and Philip Hallam Baker, formally of VeriSign, founded the CA / Browser Forum back in May 2005 our roles were almost certainly catalysts – at that time, Best Practice was not necessarily weak, it was simply seen differently by each party.  After efforts by all participants over this last decade, particularly in 2011/2012 where the Baseline Requirements were agreed, the Certificate Authority and Browser industry have been able to sustain the transactional security of the global economy of the Internet.

The way companies do business and the way individuals transact with those companies is continually evolving.  The free choice of tools (browsers) at their disposal and the subsequent visual indicators they present (or do not present) are usually influenced with the advice that Best Practice offers underpinned by Legislation & Regulation.  Back when the original Baseline Requirements and certainly 5 years earlier when the original Extended Validation Guidelines were drafted, Legal Entity Identifiers were not in existence (the first LEI’s being issued on the 5^th June 2012).  Now there are roughly 1.2 Million and growing quickly as each regulatory wave washes over companies and mandates they obtain their LEI to be recognized worldwide.

What better tools exists to make use of the LEI’s global support to promote Identity Assurance worldwide?  No other Open Database of company details is available in such an internationally agreed structured format backed by the G20 supporting ISO standards such as ISO 20275 and ISO 17742.  Certificate Authorities are therefore ideally placed to incorporate the LEI, a persistent unique key to verifiable level 1 ‘who is who’ business data and level 2 ‘who owns who’ parental structures.  Updated at least annually LEIs will always offer a improved alternative over any static multi-year certificate, business card or even company letter head.  Regulators are now recognizing the benefits of mandating timely business data sources and the positive effect it is having on their legislation success and more importantly efficiency.

Browsers will soon be ideally placed to display LEIs to their stakeholders of businesses and consumers alike, extracting them from the underlying X509 SSL/TLS certificate underpinning the encrypted communications channel.

What an exciting opportunity is in front of us all…