<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 4, 2017 at 1:42 PM, Geoff Keating <span dir="ltr"><<a href="mailto:geoffk@apple.com" target="_blank">geoffk@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
> On 29 Nov 2017, at 9:44 am, Wayne Thayer via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br>
><br>
> The EV process is intended to gather a robust body of information about the Subject that, when viewed collectively, "provides users with a trustworthy confirmation of the identity of the entity". James and later Ryan have pointed out a weakness in the standard where incorrect data from a single data source (QGIS) could be used to obtain a "properly validated" EV certificate containing that incorrect data.<br>
><br>
> A positive outcome from this discussion would be for the Validation WG to review this information and propose changes to the EVGLs (such as a requirement for face-to-face validation mentioned by Jeremy) that mitigate this weakness.<br>
<br>
</span>I’m not sure how face-to-face validation helps here, other than it means the applicant now has a chance to lie to your face, which at least adds a personal touch…<br>
<br>
I understand that the flaw being discussed is that the physical address data reported by QGISs/etc. may be self-reported by the entity and not immediately (or ever) validated. That seems like a problem, and really strikes at the heart of the 11.4.1(A) address verification. Unless it can be fixed I would think we have to remove those methods and leave just (i)(2), (2), and (3). [It would be nice if we could renumber this section so that it did not go (i)(1) (i)(2) (2) (3) (4).] </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Is there any way we can make such a check reliable? Some methods I have thought of that won’t work are:<br>
<br>
- There could be an aging requirement, on the grounds that a renewal notice is sent—but if the renewal is paid anyway, perhaps online, we’d be relying on the letter being returned undeliverable and the Registration Authority noticing this fact, which seems unreliable.<br>
- It seems like all the various information sources copy each other so we can’t rely on multiple sources.<br>
- If any information sources actually validate the data, they don’t seem to say so, so it’s probably useless to require use of only information sources that say they validate the address.</blockquote></div><br></div><div class="gmail_extra">Other potential issues with (i)(2)</div><div class="gmail_extra"><br></div><div class="gmail_extra">- "reliable individual or firm" is undefined. For example, is Google Maps sufficiently reliable, as some CAs assert? The business information may be community submitted, derived from OCR in the images ("machine learning"), or potentially from other sources (e.g. web crawls)</div><div class="gmail_extra">- (a)'s enumerations of verification are illustrative, non-normative</div><div class="gmail_extra">- (b) indicates that the CA must determine this, but does not affect the conclusion</div><div class="gmail_extra">- (c) indicates that the CA must determine this, but does not affect the conclusion</div><div class="gmail_extra">- (d) indicates that the CA must determine this, but does not affect the conclusion</div><div class="gmail_extra">- (e) requires photos, but no binding of those photos to the ID</div><div class="gmail_extra"><br></div><div class="gmail_extra">When we consider the holistic EV ecosystem, the complete and abject failure of all of these controls in the face of common sense does not itself represent misissuance - it's totally valid, and thus would be hard to fault a CA for doing what is totally valid. Further, when approached to obtain a certificate, the same hardship that has lead to some CAs proposing weaker checks (due to having to deny potential customers as a result of the current checks) also incentivizes CAs to favor the applicant. There's a compelling benefit to the CA if it can sell an EV certificate to a customer that fully complies with the EV Guidelines, particularly if anything bad happens is "not their fault, but the fault of the guidelines".</div><div class="gmail_extra"><br></div><div class="gmail_extra">Further, coupled with the liability requirements that don't trigger based on issuance, but based on provable misuse (which such proof being impossible to reliably demonstrate using existing technology), there's very little downside to the CA.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div>