Organizations that require paper documentation

My domain is: inqten.mn

This is not a technical issue.
We are doing business in Mongolia.
However, there are certain documents that banks in Mongolia require in order to add payment services to our site.
One of them is to prove that the SSL certificate applied to the site is trusted. It asks for "paper proof" from the certificate authority.
I'm stumped.
Can you help me with this?

Trusted by who?

4 Likes

It's a ccertificate issuer, so probably talking about the "Let's Encrypt" side.
They're asking for a physical piece of paper that says the certificate issuer vouches for that certificate.

Maybe you can find some written stuff they will accept at Policy and Legal Repository - Let's Encrypt?

Also, what do they mean by "trusted"? Trusted by browsers and/or OS? Let's Encrypt cannot directly influence that. Let's Encrypt requests addition of their root certificates into browser/OS root certificate stores, but in the end it's the discretion of the browser/OS to add the root cert or not.

4 Likes

As I said in the text, this isn't a technical issue- it's not about whether a web browser or OS can be trusted, it's about legal liability - it's about getting documentation that "Let's Encrypt" vouches for the our site's SSL certificates.

Let's Encrypt of course trusts their own root certificates, they (self) signed them.

But this doesn't tell you much, I myself can self sign whatever I want. You want other people to trust your certificates, and that's the difference between Let's Encrypt and myself.

There are several trust stores which you can use to determine if a certificate is trusted, main ones are Mozilla, Chrome, Apple, and Microsoft.

4 Likes

Do you have their exact verbiage/request?

5 Likes

Let's Encrypt digitally signs certificates for the websites, which is (non?)arguably a much stronger proof than a piece of paper with some scribbles on it.

Let's Encrypt certainly doesn't provide any paperwork for the end users.

4 Likes

There is no insurance that I know of, but you should read the subscriber agreement about that. If there's an issue, you won't be the only one impacted. But if you need insurance you would need to get your own.

That also depends on what they actually require, but I think a copy of Let's Encrypt CPS could be what they're looking for.

6 Likes

If it is not the CPS document linked above...

That doesn't exist from LetsEncrypt. It may exist from commercial providers.

As to what this could mean...

LetsEncrypt only offers DV - domain validation - certificates, which only validate control of the domain. Some countries have required financial sites to have EV or OV certificates, which validate the organization as well. The country may want a paper statement saying the EV or OV work was done.

The country may also just want a listing of what the Certificate is compatible on, in case there are minimum requirements. That can be found here: Certificate Compatibility - Let's Encrypt

Because LetsEncrypt is a free, non-profit, automatic system - their staff do not have the resources to generate compliance documents for subscribers. Requests like this often come up and are ignored or rejected.

I would contact the regulatory agency and speak with them to go over options and explanations from their point of view.

7 Likes

Adding:

I was looking for one of the similar rejections as an example and came across this post:

In this case, the ISRG staff pointed to the WebTrust audit docs.

The most recent post I was thinking of, was this:

6 Likes

There may also be something getting lost in translation.

(I mean, even if you're just talking about people who share a native language, it wouldn't be the first time that by the time the requirements got to the engineers, they didn't look anything like what was actually needed. Add possible language barriers to that and it gets even more challenging)

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.