<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think we are waaay over complicating this. Our role as CAs is two-fold:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1) Verify domain ownership/control<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2) For OV and EV certs, verify the identity of the individual or organization to be named in the certificate Subject details to the degree prescribed by the BR or EV Guidelines respectively.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I have seen in this conversation, and in past conversations an attempt to tie those two roles together, which really can't be done effectively. There is absolutely no way to guarantee that the party named in the cert ACTUALLY is the party running the site, or doing business on it, only that they have requested/authorized their identity to be used in association with it. Likewise I have no sure way of verifying that the party who ACTUALLY owns the domain, i.e. purchased it directly from the registrar, is or is not the party named either in the certificate or on the WHOIS information.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>An old adage in the SysAdmin world is, "If I have physical access to the box, I own the box." The equivalent to that on the internet is, "If I control the DNS, I own the domain." That takes care of #1 and any attempt we make to go further than that for the purpose of verifying domain ownership/control is really quite pointless.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As for #2 we verify that the named organization exists and that they did in fact request that this certificate be issued with their name on it. That's it. Very simple. We CAN'T EVER be sure that that organization actually owns the domain, and that seems to be the main argument being presented.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hypothetical:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Acme, Inc. owns example.com. They have authorized Widgets, Inc. to operate a web site at widgets.example.com and obtain an EV certificate for it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We attempt to verify to EV standards and in doing so we tell Widgets, Inc. that the WHOIS info is wrong and must be updated to show them as domain registrant. Rather than jump through a bunch of needless hoops and involve an attorney, Acme, Inc. simply logs in, changes domain registrant to Widgets, Inc. while we take a screenshot of the WHOIS info, then they immediately change it back to say Acme, Inc. maybe even before the certificate is actually issued.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What exactly have we accomplished that we could not have accomplished equally well with an email sent to admin@example.com asking them to confirm authorization of the certificate request for widgets.example.com, or asking them to make an agreed upon change to the site at widgets.example.com? Answer: Exactly nothing. It was a complete waste of everyone's time. Acme has always, and continues to own the domain, we just have a screenshot of some fleeting and inaccurate WHOIS information. Nobody is any better off or more secure as a result.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Everyone seems to want to make the CA the be all end all of internet security. We aren't and we can't be. We can only do what we can do and putting up useless obstacles doesn't change that fact, it just makes our job more difficult and our customers more frustrated for no good reason. It's really no wonder people get fed up with us.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>ICANN can't enforce their standards. Sounds like a problem for ICANN. It's not my job to enforce their standards. It's my job to verify that the Applicant has, in some manner, been authorized to use the domain for which they have requested a certificate, whether it be that they purchased that right directly from the registrar, or purchased that right from a third party that purchased it from the registrar, AND, as a separate process, verify that they are who they say they are. There is no situation where I can do more than that.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rich<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Tuesday, May 07, 2013 10:57 AM<br><b>To:</b> 'Ryan Hurst'; jeremy.rowley@digicert.com; 'Eddy Nigg (StartCom Ltd.)'; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Proposed motion to modify EV domain verification section<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This thread brings up an important syntactical improvement that we need to make in the BRs and EV Guidelines. We ought to start now with EV, since that is what we’re currently discussing. Occasionally people will say we need to be more exact with terms like “domain name”, “FQDN”, etc. While we have made great improvements since EV 1.0, there are still more to be made. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Let’s say that the FQDN or sub-domain is controlled under a license granted by the domain name registrant, but the domain name registrant might be difficult to contact, etc. It might be clear from the domain name registrant’s architecture/business model that the registrant’s usual practice is to assign subdomains or set up FQDNs. Similarly, it might be clear from the EV applicant’s usual practice that they obtain an assignment of a particular subdomain or particular FQDN as a service provider to domain name registrants. I can see a practical demonstration through DNSSEC routing to particular IP address blocks shows sufficient control. By issuing the EV certificate, I do not think we are attesting to domain name registration. In most cases, yes, but in some we are attesting to the entity behind the server, FQDN or sub-domain, in which cases the process for validation changes because the goal has changed. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Even if you do not accept these two hypotheticals, we still need to go through both documents with a fine-toothed comb to remove potential ambiguities.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Hurst<br><b>Sent:</b> Monday, May 06, 2013 10:56 PM<br><b>To:</b> <a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>; 'Eddy Nigg (StartCom Ltd.)'; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Proposed motion to modify EV domain verification section<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>While I agree the syntactic checks prescribed in Report 58 will increase the accuracy of information in WHOIS, the fact is it is supposed to be accurate today even though we know registrars do a bad job at meeting the requirement and ICANN does a bad job at mandating they meet it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>When it comes to the policies we author, I think we should build them on what is required by the entities involved and build mitigations for the reality of their practices; in this case it means WHOIS data should be allowed but be syntactically validated and corroborated with other data sources.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As for allowing other forms of domain control verification, I am not opposed to supporting mechanism that actually allow verification of control of the domain but some technical verifications in use today do not do that, for example they may verify control of a host within the domain which is different than controlling the domain itself.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Even if we do that though I think it’s important we still allow for WHOIS based verification, just as I think it’s important the registrars and ICANN live up to their obligations to ensure it is accurate.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan<o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Jeremy Rowley [<a href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>] <br><b>Sent:</b> Monday, May 06, 2013 9:40 PM<br><b>To:</b> 'Ryan Hurst'; 'Eddy Nigg (StartCom Ltd.)'; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] Proposed motion to modify EV domain verification section<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I recognize that there is a self-reporting requirement and that SSAC Report #58 released this year has some recommendations that, if adopted, will greatly improve the WHOIS contents. Considering the large number of WHOIS listings that are incorrect and that self-reported data is not permitted under EV, I think other verification requirements are more effective at determining the controller/owner of the website.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think looking at what registrars do is a good way to expand the domain validation scope. However, I think the Forum already has several effective methods of verifying domain names in the BRs, and I do not see the harm in permitting these same procedures for EV.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Hurst<br><b>Sent:</b> Monday, May 06, 2013 10:23 PM<br><b>To:</b> <a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>; 'Eddy Nigg (StartCom Ltd.)'; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Proposed motion to modify EV domain verification section<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Since 2003 ICANN has required the information to be validated yearly - <a href="http://www.icann.org/en/resources/registrars/consensus-policies/wdrp">http://www.icann.org/en/resources/registrars/consensus-policies/wdrp</a> the policy was poorly written, did not consider global privacy requirements and is not enforced but it is at least mandated; <a href="http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/">http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/</a> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I understand one of the key reasons of non-enforcement is that ICANN feels they do not have the teeth to do so in the existing contracts with registrars.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I also understand that they have addressed this contractual teeth issue with the gTLD contracts.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As we look at this topic I believe it is best to consider both what registrars are required to do and build mitigations based on what they truly do.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Jeremy Rowley<br><b>Sent:</b> Monday, May 06, 2013 9:00 PM<br><b>To:</b> 'Eddy Nigg (StartCom Ltd.)'; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Proposed motion to modify EV domain verification section<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We do require a human interaction (and that won’t change) when we verify the certificate requester. However, that is separate from domain verification. Considering that WHOIS information is essentially non-verified information, I don’t think the WHOIS check provides any insight about the domain’s operator. Until ICANN requires verification of each domain applicant, the WHOIS information is less reliable (IMO) than several of the verification methods permitted under the baseline requirements.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br><b>Sent:</b> Monday, May 06, 2013 9:56 AM<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Proposed motion to modify EV domain verification section<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><br>On 05/06/2013 05:42 PM, From Rich Smith: <o:p></o:p></p><pre>What's more, the EV requirement around domain verification is currently LESS<o:p></o:p></pre><pre>SECURE than OV/DV in this regard as it ONLY requires looking at WHOIS. To<o:p></o:p></pre><pre>the best of my knowledge there has never been a case of any mis-issuance of<o:p></o:p></pre><pre>a certificate to an unauthorized domain where a technical mechanism was used<o:p></o:p></pre><pre>to verify domain authorization.<o:p></o:p></pre><p class=MsoNormal style='margin-bottom:12.0pt'><br>If anything we should probably require a technical verification <b>and</b> a human interaction via WHOIS to really improve it.<br><br>I'm not sure... if we'd simply rely on technical verification under certain circumstances certificates could be issued unintentional and then in the EV level. I'm not very comfortable with the thought to solemnly rely on a domain control validation. <br><br>Also EV certificates should probably identify the entity that stands behind the web site (even though the guidelines allow for authorization and delegation of sites to a validated entity), it requires either a lookup at the WHOIS records and/or web sites involved to confirm that.<o:p></o:p></p><pre>It is also extremely frustrating for a customer who, for example, gets a<o:p></o:p></pre><pre>request from us to unmask whois, gets an email sent to a WHOIS contact and<o:p></o:p></pre><pre>responds to it, then gets another request that they now have go back in and<o:p></o:p></pre><pre>change the WHOIS info because we have found it to not match now that we can<o:p></o:p></pre><pre>see it. From their point of view, the email established that they own the<o:p></o:p></pre><pre>domain so we are now just wasting their time.<o:p></o:p></pre><p class=MsoNormal style='margin-bottom:12.0pt'><br>Yes, probably most of us are aware of the difficulties with that, on the other hand it also relays to the parties involved that an EV isn't that easy to get. Agreed that your proposal would reduce some of the hassle with that and make EV more convenient.<o:p></o:p></p><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal>Regards <o:p></o:p></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Signer: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Eddy Nigg, COO/CTO<o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>XMPP: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Blog: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Twitter: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://twitter.com/eddy_nigg">Follow Me</a><o:p></o:p></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td></tr></table></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>