[cabfpub] Phone verification issues

Rich Smith richard.smith at comodo.com
Thu Jun 27 13:19:56 MST 2013


**Disclaimer: This thread originated on the questions listserv.  Regarding 
that particular thread, it will be handled by the CA in question.  All 
identification of the CA and the original sender have been scrubbed from this 
thread, as I don't know what the policy is regarding making queries to the 
questions list public.**



I agree that this particular case should be left for the particular CA to 
handle, however it brings up a problem that I encounter on a routine basis and 
one which I believe we need to address.  It is going to become increasingly 
difficult to verify phone numbers.  In the developing world it is well 
understood that they are largely skipping over land lines in favor of mobile 
phones, VoIP, etc., and even in the developed world mobile phones and VoIP 
have over-taken land lines in numbers and will very likely continue to do so. 
With the adoption of the BRs we have added an out of band verification 
requirement to OV, which generally means a verification of a phone number for 
OV as well, though it is not a strict requirement as it is for EV since other 
out of band methods are still allowed (just not particularly timely or useful 
IMO).



For a snap shot of the mobile vs. land line numbers, I have combined two lists 
from:

http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use

http://en.wikipedia.org/wiki/List_of_countries_by_number_of_telephone_lines_in_use

into the attached spreadsheet (in Excel and Open Document formats)



I don't know exactly what the solution is, but I think we should get a 
conversation started.



Regards,

Rich



From: questions-bounces at cabforum.org [mailto:questions-bounces at cabforum.org] 
On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Thursday, June 27, 2013 2:35 PM
To: questions at cabforum.org
Subject: Re: [cabfquest] EV SLL Verification suggestion




On 06/27/2013 09:22 PM, From *name redacted*:

Below is a problem we ran into and because of which we have a suggestion for 
change in the EV SSL verification rules. If this is not the proper channel for 
this type of suggestion please let me know how or where we could make this 
suggestion,



Thank You!

THE PROBLEM



We have had an EV SLL Cert issued by *redacted* for the last two years.



We are a small startup business that was using our home phone as a business 
line.  We had the phone forwarded to our cell phone. We found that with our 
cell phones we never used the home phone, and it was a monthly bill that we 
could eliminate, so we did. We changed the business number to a Google Voice 
number that was forwarded (like our home phone) to our cell phone. This 
provided us with the best solution so that our customers could usually always 
reach us.



Little did we know this would send us down a road that would eventually end up 
costing us our EV SLL certificate, and we had to revert to a standard SSL.



The problem was with the verification rules for the new phone number. 
*redacted* was unable to find our small startup business in the directory, and 
we were unable to provide a bill that showed our new phone number, name of 
business, and address because Google Voice is a free service and no such bill 
is provided.



We were asked to provide a Professional Opinion Letter from a CPA or Lawyer - 
and even though our small business does not employ either, we went to a CPA 
office and one after another CPA looked at the letter from *redacted* and said 
they had never seen anything like it and were not about to sign it.  We talked 
to a total of 3 CPA's. We did not try a lawyer because the cost would have 
been prohibitive.



SUGGESTIONS FOR SOLUTION



First, to verify a phone number, one should be able to call that phone # and 
see who answers.  This is used by banks and financial institutions, why not 
for an EV SLL Certificate?



The "Professional Opinion Letter" is a complicated solution that costs $$$ for 
the end users -- I understand and appreciate the need for verification, but 
this should only be required in the most dire and last resort situations -- I 
would think if this letter was required then serious thought should be given 
as to whether the certificate should be issued at all. It certainly should not 
be required because a phone number changes.




I think we let *the CA* deal with this.




Regards





Signer:

Eddy Nigg, COO/CTO




StartCom Ltd. <http://www.startcom.org>


XMPP:

startcom at startcom.org


Blog:

Join the Revolution! <http://blog.startcom.org>


Twitter:

Follow Me <http://twitter.com/eddy_nigg>






-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130627/f8317f7e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Land_vs_mobile_phone.ods
Type: application/octet-stream
Size: 10765 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130627/f8317f7e/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Land_vs_mobile_phone.xls
Type: application/vnd.ms-excel
Size: 25088 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130627/f8317f7e/attachment-0001.xls 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130627/f8317f7e/attachment-0001.bin 


More information about the Public mailing list