<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>My responses inline below:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br><b>Sent:</b> Tuesday, May 07, 2013 3:13 PM<br><br><o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><br>On 05/07/2013 07:19 PM, From Rich Smith: <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think we are waaay over complicating this. Our role as CAs is two-fold:</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1) Verify domain ownership/control</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2) For OV and EV certs, verify the identity of the individual or organization to be named in the certificate Subject details to the degree prescribed by the BR or EV Guidelines respectively.</span><o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><br>If that is true, could be please perhaps help me understand what the differences between BR OV and EV effectively are? Or in other words, what would we have to adjust besides your proposal to make OV and EV exactly the same thing?<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] The difference lies in #2, the level of identity checking, not in #1, the domain verification. IMO, unless and until ICANN and their registrars get their respective acts together the ONLY piece of information contained in WHOIS that should come into consideration for a CA are the contact email addresses and possibly the phone numbers, and those ONLY to establish a way to contact the domain owner via phone or email to verify the certificate request. The other details in WHOIS info are completely unverified and therefore unreliable and irrelevant.<o:p></o:p></span></i></b></p><p class=MsoNormal style='margin-bottom:12.0pt'><br><br>If your suggestion and proposal will be acceptable to the CABF members including the browser vendors, we might want to align BR OV and EV further to the point so that OV could be basically relinquished. Considering that browser don't make any effort for BR IV/OV anyway, we might pursue such an effort.<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] I'm completely open to that possibility, but currently there are individuals and still some organization types which don't qualify for EV, but do value some level of identity checking even though the browsers won't differentiate it. If we can revise the EV requirements sufficiently to allow those to obtain them then I would love to discuss deprecating IV/OV.<o:p></o:p></span></i></b></p><p class=MsoNormal style='margin-bottom:12.0pt'><br><br>It might reduce the quality of EV slightly, but with the benefit for higher adoption. I was always under the impression that EV means EXTENDED validation - and one of the goals is to clearly identify the entity to a visitor that he would expect to see at the site/certificate. E.g. somebody visiting paypal.com expects to see PayPal, Inc. (US) and not SomeISP, LLC (US).<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] To a point you're right, but we can't DEFINITIVELY do that. There is nothing in the EV Guidelines which prevents PayPal from sub-letting a sub-domain to a third party for instance, and the EV Guidelines allow for that, but currently both the Applicant and PayPal have to jump through what I see as unnecessary hoops to do it. There is also nothing, not even the aforementioned hoops, to stop PayPal from obtaining an EV cert for a sub-domain of paypal.com in their own name and then allowing some third party to use that sub-domain and it's certificate to do some other unrestricted and unrelated business on that sub-domain. The domain is PayPal's property. What they do with that property in this regard is completely outside the scope of what we do as CAs. We can't control it, we can't police it, and IMO it is outside our scope legally, and ethically to try. It's their property. Our job is simply to verify the details in the certificate and to verify that both the domain owner, and whatever entity is named in the certificate, whether the same or different, approve the issuance of the certificate. Anything beyond that is, of necessity, between the domain owner, the site operator, and the end user. IMO we go too far if we are trying to insert ourselves into that, and there is no practical way to do so reliably even if you think we should, which I do not.<o:p></o:p></span></i></b></p><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><o:p></o:p></p><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal>Regards <o:p></o:p></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Signer: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Eddy Nigg, COO/CTO<o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>XMPP: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Blog: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Twitter: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://twitter.com/eddy_nigg">Follow Me</a><o:p></o:p></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td></tr></table></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>