<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
On 05/07/2013 10:54 PM, From Rich Smith:<br>
<blockquote
cite="mid:043e01ce4b5c$b3e7f240$1bb7d6c0$@smith@comodo.com"
type="cite">
<div class="WordSection1">
<div style="border-width: medium medium medium 1.5pt;
border-style: none none none solid; border-color:
-moz-use-text-color -moz-use-text-color -moz-use-text-color
blue; -moz-border-top-colors: none; -moz-border-right-colors:
none; -moz-border-bottom-colors: none;
-moz-border-left-colors: none; -moz-border-image: none;
padding: 0in 0in 0in 4pt;">
<p class="MsoNormal" style="margin-bottom:12.0pt">If that is
true, could be please perhaps help me understand what the
differences between BR OV and EV effectively are? Or in
other words, what would we have to adjust besides your
proposal to make OV and EV exactly the same thing?<span
style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><i><span
style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color:
rgb(31, 73, 125);">[RWS] The difference lies in #2,
the level of identity checking, not in #1, the domain
verification. IMO, unless and until ICANN and their
registrars get their respective acts together the ONLY
piece of information contained in WHOIS that should
come into consideration for a CA are the contact email
addresses and possibly the phone numbers, and those
ONLY to establish a way to contact the domain owner
via phone or email to verify the certificate request.
The other details in WHOIS info are completely
unverified and therefore unreliable and irrelevant.</span></i></b></p>
</div>
</div>
</blockquote>
<br>
Yes, but it doesn't matter - if I validated PayPal, Inc. (the legal
entity) and verify that paypal.com's WHOIS records contain the exact
company details as we already established, then we can assume that
PayPal owns paypal.com - In fact I'd require a domain control
validation aka BR first and then make the WHOIS check.<br>
<br>
It's not that we check the WHOIS records first and confirm that
whoever claims to own paypal.com is actually PayPal, Inc.<br>
<br>
<blockquote
cite="mid:043e01ce4b5c$b3e7f240$1bb7d6c0$@smith@comodo.com"
type="cite">
<div class="WordSection1">
<div style="border-width: medium medium medium 1.5pt;
border-style: none none none solid; border-color:
-moz-use-text-color -moz-use-text-color -moz-use-text-color
blue; -moz-border-top-colors: none; -moz-border-right-colors:
none; -moz-border-bottom-colors: none;
-moz-border-left-colors: none; -moz-border-image: none;
padding: 0in 0in 0in 4pt;">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
If your suggestion and proposal will be acceptable to the
CABF members including the browser vendors, we might want to
align BR OV and EV further to the point so that OV could be
basically relinquished. Considering that browser don't make
any effort for BR IV/OV anyway, we might pursue such an
effort.<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><i><span
style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color:
rgb(31, 73, 125);">[RWS] I'm completely open to that
possibility, but currently there are individuals and
still some organization types which don't qualify for
EV, but do value some level of identity checking even
though the browsers won't differentiate it.</span></i></b></p>
</div>
</div>
</blockquote>
<br>
I was talking only about OV, not IV. As of now we probably will not
have a chance to get individuals supports in the EV level due to
browser objection.<br>
<br>
<blockquote
cite="mid:043e01ce4b5c$b3e7f240$1bb7d6c0$@smith@comodo.com"
type="cite">
<div class="WordSection1">
<div style="border-width: medium medium medium 1.5pt;
border-style: none none none solid; border-color:
-moz-use-text-color -moz-use-text-color -moz-use-text-color
blue; -moz-border-top-colors: none; -moz-border-right-colors:
none; -moz-border-bottom-colors: none;
-moz-border-left-colors: none; -moz-border-image: none;
padding: 0in 0in 0in 4pt;">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
It might reduce the quality of EV slightly, but with the
benefit for higher adoption. I was always under the
impression that EV means EXTENDED validation - and one of
the goals is to clearly identify the entity to a visitor
that he would expect to see at the site/certificate. E.g.
somebody visiting paypal.com expects to see PayPal, Inc.
(US) and not SomeISP, LLC (US).<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><i><span
style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color:
rgb(31, 73, 125);">[RWS] To a point you're right, but
we can't DEFINITIVELY do that. There is nothing in
the EV Guidelines which prevents PayPal from
sub-letting a sub-domain to a third party for
instance, and the EV Guidelines allow for that, but
currently both the Applicant and PayPal have to jump
through what I see as unnecessary hoops to do it. <br>
</span></i></b></p>
</div>
</div>
</blockquote>
<br>
I think it's necessary to establish the assurance we want for EV -
I'd rather support to remove that sub-letting as you called it.
Considering using the BR - it requires to validate the domain name
and not control over a sub domain (when using email ping), so your
argument from above doesn't really hold as there will be no
improvement as I see it.<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>