<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1132091234;
mso-list-template-ids:1020300042;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I disagree. The requirements do not specify that. All that is required is the name of the applicant was verified under 3.2.2.1 and that the register specify the domain contact is the applicant. If Google, Inc. is specified as the domain contact, no address matching is required.<o:p></o:p></p><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> geoffk@apple.com [mailto:geoffk@apple.com] <br><b>Sent:</b> Tuesday, January 2, 2018 4:34 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Ryan Sleevi <sleevi@google.com>; Adriano Santoni <adriano.santoni@staff.aruba.it><br><b>Subject:</b> Re: [cabfpub] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Dec 22, 2017, at 12:09 PM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>The attack vector is easier than that.<span class=apple-converted-space> </span><o:p></o:p></p></div><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='mso-list:l0 level1 lfo1'>I use very stringent processes to verify that Google, Inc. is a legit company in Utah.<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'>I verify that Jeremy did indeed incorporate Google, Inc.<span class=apple-converted-space> </span><o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'>I call Jeremy at the phone listed for Google, Inc., the Utah corporation<o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'>The domain information shows Google, Inc. as owning<span class=apple-converted-space> </span><a href="http://google.com/"><span style='color:purple'>google.com</span></a><o:p></o:p></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'>Certificate issues.<o:p></o:p></li></ol><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Obviously this would be caught in every CA’s high risk checks, but the point remains valid. Regardless of the expertise and thoroughness of the org check, the specs lack any time between the verified org and the actual domain because orgs are not unique on a global basis.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For item 4, you have to verify that “the Applicant is the Domain Contact”. Obviously it’s insufficient to just compare names—you must verify every element of the WHOIS contact matches the Applicant, that’s typically name, postal address, phone number, and e-mail.<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>