Free Trial
Contact Us
Podcast

Root Causes 290: What Are QGIS and QIIS?

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
March 30, 2023

In this episode we define Qualified Government Information Source (QGIS) and Qualified Independent Information Source (QIIS), which are critical to CABF-compliant organization validation. We explain how they fit into validation and the criteria for a reliable information source.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanThis is a “what is” episode and today, we are going to kind of get a little down into the weeds of public certificates and CA/Browser Forum and we are gonna define two terms. Two related terms that are not quite the same, which is what is a QGIS and what is a QIIS. We are in the weeds. So, I’ll define these two words.

So, QGIS stands for Qualified Government Information Source and QIIS stands for Qualified Independent Information Source. And, if we break down these words, qualified means not just anything. It has to meet certain criteria to be considered to be usable. Let’s go to the end. Information source – this is some source of information that’s out in the world that you can use to get information about an entity. So, this would be an organization, a business, a government organization, an NGO, a school, a church, something like that. And there are many, many, many information sources in the world that you and I look to to understand what something is. What a business is.

So, let’s just use an easy example. Let’s say the yellow pages. So, remember when we all had yellow pages in our homes in a drawer in the kitchen and it was a thick book and it was yellow and strong people used to rip them in half to be impressive? So, we’d have these things and if somebody said, hey, I want to get my washing machine repaired, you’d flip to washing machine repair and you’d find somebody and you’d have a pretty high degree of confidence that that was actually a washing machine repair shop and not, let’s say, something else. Like someone pretending to be a washing machine repair shop. So, we would use the yellow pages as an information source.
Jason SorokoJason SorokoI am old enough to remember that. Yes, Tim. Absolutely.
Tim CallanTim CallanBut a CA can’t use the yellow pages is my point. And the CA can’t use the yellow pages for the simple reason that it’s all self-reported. So, you can get into the yellow pages – if they still exist – by calling up the yellow pages provider and saying, I want to buy an ad and I want to say I’m a washing machine repair shop and they’d say that’ll be $149.00 please and it’s done. So, I could fake an identity in that particular information source. And as a consequence, that information source would not count as qualified. It would not be qualified and it would not count and therefore, it would not be usable.

Now, where all this comes to play is these information sources are part of the CA/Browser Forum rules. The baseline requirements and the EVGs and basically anything that we are going to assert about a business needs to be independently confirmed. So, we can’t use self-reported information from that business or that government agency or that NGO or whoever it is. We have to get that directly from these independent information sources and they have to be qualified. So there are a set of criteria. Basically, what it comes down to is it can’t be self-reported information. It can’t be something where I just go tell it. So there are lots and lots of places and databases where you can just go tell it and there are also lots of places and databases where you can’t just tell it. Where they have some method in place to ensure that the information that you are saying is correct. It’s that second set of information sources that we as CAs are allowed to use and that’s where the qualified comes in.

Now there’s two versions. There’s what we call government and independent. So government is just that. It’s something that comes from the government. It’s an official list of registered businesses or it’s an official list of schools or it’s an official list of government agencies with the set of information that is adequate for the CA to determine what it needs to know about that organization and it’s coming directly from a government and we call that a QGIS – a Qualified Government Information Source and that is considered to be a very robust information source. Because after all, those are the people who are in charge of the law and if they’re going to declare that these are the schools, kind of almost by definition they are right.

Then the other ones though are basically services that are maintained. Usually they are paid services where they focus on quality and they make sure that what’s in their information is right and there’s lots and lots and lots of businesses that use these services and need them in various ways and depend on them being accurate. So, it is worthwhile for somebody to run a business where they are literally looking at these information sources; they are vetting their information; they are confirming that it’s correct and they are making it available in some kind of data lookup capacity. And that would be called a Qualified Independent Information Source and CAs use both of these. They use them quite extensively and that is an essential part. Without these information sources you kind of can’t have a CA industry at all.
Jason SorokoJason SorokoEspecially in terms of EV certificates and OV certificates, Tim. You are right.
Tim CallanTim CallanAbsolutely. To be clear, we are talking about EV/OV. So, for the domain validation aspect of public SSL certificates, what we call DCV or domain control validation, that is entirely independent. That is done in an independent way with independent mechanisms. Those mechanisms are highly reliable.

So, if you are thinking about a DV, a domain validated certificate, there is only DCV. Organizational validation does not occur. So under those circumstances, there are no QIISs. There are no QGISs. So for a CA that only offers DV – and some of them exist – they don’t need to worry about this stuff. They don’t care. They don’t have any QIISs. They don’t have any QGISs. They just don’t care. But for CAs that are offering OV and EV, which is most of them, then they do care and they have to do this correctly and they have to follow everything that I just laid out.
Jason SorokoJason SorokoThat’s right, Tim. I think that for those of you who play in the legal industry, I’m not sure if most jurisdictions actually name these things legally but there are other industries out there that rely on these kinds of things as well.
Tim CallanTim CallanThink about and know your customer. KYC is a great example where information sources, incredible information sources are incredibly important. Think about fraud and risk alerts. Think about anybody who is doing loans. Before I give you money I have to be confident that you exist and you are who you say you are and you usually have to go over various risk thresholds as well. There are lots of industries that depend on this and use this in various ways.
Jason SorokoJason SorokoWe even looked in here at the history of definition and redefinition and revision of QIIS within the CA/Browser Forum. So, I’m interested to hear your take on what’s been allowed and what’s been disallowed as a QIIS in the past.
Tim CallanTim CallanSo, the CA/Browser Forum in general, the baseline requirements have been a story of increasingly tight control really since they were created 10 years ago. So, it is defined more closely, more tightly, more precisely, remove the liberalism and that has gone on just kind of as a constant iterative process over time and so there aren’t really hard rules, there aren’t hard criteria over what is allowable as a QIIS, but CAs #1 are expected to publish their information sources – which we do on GitHub. So, anybody can go and they can see what information sources we are using and therefore, if they don’t like our information sources, they can object to it.

And #2 is, there is a more general rule which is that the CA has to, in the event that the CA learns that any of its certificates don’t have reliable organization validation information then those certificates need to be revoked. That winds up being the thing that really has teeth. You can’t use an unreliable QIIS because then anything that depends on that QIIS itself becomes unreliable and therefore, according to the rules, it must be revoked. That’s really where the strength comes from. So, there is a motivator for CAs to do this well. Not to mention the fact if they don’t do it well and they’re issuing certs to organizations that don’t exist, then because of CT log certificate transparency and because of tools like CRT.SH, it is possible for members of the community to discover these errors and bring them up and they have. They do. And when they bring them up, guess what? Now you have a Bug and Bugzilla and you have that whole problem. You have a forced revocation event. You have kind of the loss of public credit and loss of face. That’s very important. If you look at the three root distrust events that have occurred in the last four years or so, for two of the three there was a strong element of failure to execute properly, which was part of the reason the distrust occurred. CAs take this kind of thing very seriously and failure to execute properly in the CA world is a very serious allegation. That’s where the teeth and the strength comes from in all of this and it’s pretty strong. It’s effective in forcing CAs to take this kind of thing seriously.
Jason SorokoJason SorokoThanks, Tim. That’s why I knew well enough that you cannot be choosing your sources willy-nilly. It is a very controlled thing. So for those of you wondering, there’s a lot of consideration paid to this and for the professionals who do this on a daily basis, I applaud them because they think very, very hard about the sources that they are using and take this whole subject really seriously.
Tim CallanTim CallanI just thought it would be nice to bring it up because it’s a part of the whole process that most people, if you are not an insider, you don’t know about it and you probably don’t think about it. But without that being done correctly, the whole system falls apart.
Jason SorokoJason SorokoAbsolutely. For those of you who are wondering, OV and EV certificates, the amount of work that’s actually done and put that name down is really substantial. It really, really is.

To actually guarantee that something is who it says it is, who actually is in possession of that certificate, is actually utilizing it. There’s been a lot said over the years about the efficacy of EV certificates, but I will tell you that in terms of verification processes, it’s rigorous and there’s a lot to it. And, like I say, people do take this really seriously on all sides. It’s a big topic. It’s in the weeds but it’s really at the heart of how these things are done properly.
Tim CallanTim CallanAgreed. Alright. So, anyway, that’s it. QIIS, QGIS in a nutshell.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud