<p dir="ltr"><br>
On May 8, 2014 6:05 PM, "Jeremy Rowley" <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<br>
><br>
> In an age when companies are spread globally and everyone works remote,<br>
> multiple physical existence checks aren't as important as ensuring the CA<br>
> has a verified and reliable way to communicate with the subscriber about<br>
> certificate requests. </p>
<p dir="ltr">Considering that a significant part of the "extended" verification is asserting the physical existence of the subscriber, I have to respectfully disagree here.</p>
<p dir="ltr">> A single check for the address combined with reliable<br>
> communication with the applicant provides a better level of assurance than<br>
> requiring companies to stick with land lines. I believe the proposed ballot<br>
> will actually help increase security by permitting CAs to communicate using<br>
> a Subscriber's preferred method of communication instead of trying to find<br>
> authorization through a general phone number, hoping they are eventually<br>
> reach the correct person.</p>
<p dir="ltr">What are the assurances of extended verification for relying parties under this justification? What does it matter that the CA has a reliable means to contact the Subscriber if the RP doesn't?</p>
<p dir="ltr">><br>
> Because the Guidelines still require a CA to verify the contact info with a<br>
> QIIS/QGIS (or attorney), what is the "predefined security bar" that CAs<br>
> should meet? In the working group (and during a couple of face-to-face<br>
> conversations), we believed email, telephone, and postal address all met<br>
> some minimum bar since they are all methods that subscribers use to<br>
> routinely conduct business. However, we didn't necessarily think that<br>
> skype/VOIP, facebook, twitter, or other methods of communication were quite<br>
> sufficient. Since the browsers were the only ones to vote against the<br>
> ballot, is there something specific you want included?<br>
><br>
> Jeremy<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] On<br>
> Behalf Of Kelvin Yiu<br>
> Sent: Thursday, May 8, 2014 3:10 PM<br>
> To: Gervase Markham; <a href="mailto:ben@digicert.com">ben@digicert.com</a>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication<br>
><br>
> I don't disagree with the fact that using a landline telephone number to<br>
> verify physical existence is increasingly irrelevant. However, I vaguely<br>
> recall discussions in the early meetings (before we coined the term EV)<br>
> where we wanted to have 2 data sources to verify physical existence and the<br>
> landline phone company was considered a good secondary source.<br>
><br>
> It is entirely possible that information from Q*ISs have gotten so good that<br>
> we don't need a secondary verification and I just don't know it. I just<br>
> haven't seen any discussion on whether we need to improve the physical<br>
> existence test or whether a physical existence test is still relevant.<br>
><br>
> To be clear, I have no problems with using mobile phones, Skype/VoIP, email,<br>
> or whatever the next new thing is to communicate with the applicant, as long<br>
> as the contact info originate from a Q*IS and the method meets a predefined<br>
> security bar.<br>
><br>
> Kelvin<br>
><br>
> -----Original Message-----<br>
> From: Gervase Markham [mailto:<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>
> Sent: Thursday, May 8, 2014 3:48 AM<br>
> To: <a href="mailto:ben@digicert.com">ben@digicert.com</a>; Kelvin Yiu; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication<br>
><br>
> On 07/05/14 22:01, Ben Wilson wrote:<br>
> > I think that when we wrote 11.4.2 we all thought that it would serve<br>
> > well as a "catch all" - doing triple duty for 1- physical address, 2-<br>
> > business operational existence, and 3 - "to confirm other<br>
> > verification requirements," but I don't think that is still the case<br>
> > for a growing minority of online businesses seeking SSL/TLS<br>
> > certificates.<br>
><br>
> Having re-reviewed section 11, I think your case is pretty well made. I am<br>
> no longer concerned that this will result in a weakening of the checks of an<br>
> applicant's physical existence - which is the key check because it<br>
> establishes jurisdiction and it is also the info placed in the cert itself.<br>
><br>
> The remaining issue for me is this (also raised by Kelvin): how do we decide<br>
> what's a good Verified Method of Communication? Which, to me is basically<br>
> the question of how secure from interception (as opposed to<br>
> eavesdropping) do we want a Verified Method of Communication to be?<br>
><br>
> It's fairly hard for a non-government to intercept and redirect a letter, or<br>
> a call made from a landline phone to another one. Do we have the same level<br>
> of confidence about mobile phones, email addresses etc.?<br>
> Perhaps we do. I might even have more confidence that, given a Skype<br>
> nickname, a Skype call to that nickname would connect with its owner than I<br>
> would have confidence that an email sent to an email address would connect<br>
> with its owner.<br>
><br>
> We use unencrypted and unauthenticated email for Domain Validation. But is<br>
> that something we want to rely on as our approved mechanism of communication<br>
> for EV issuance?<br>
><br>
> I think this merits further discussion. I'm torn what to do now, as voting<br>
> ends today. I think I'll stick with NO, but I would be very open to a<br>
> resubmission of this ballot once we've discussed and addressed this question<br>
> of what should and shouldn't qualify as a VMC.<br>
><br>
> Gerv<br>
> _______________________________________________<br>
> Public mailing list<br>
> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
> <a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><br>
><br>
> _______________________________________________<br>
> Public mailing list<br>
> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
> <a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><br>
</p>