[cabfpub] Phone verification issues

Jeremy Rowley jeremy.rowley at digicert.com
Thu Jun 27 13:59:34 MST 2013


I agree that this should be the process and would love to see a change in the EV Guidelines that reflects this.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, June 27, 2013 2:36 PM
To: richard.smith at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] Phone verification issues

 

To state the obvious, it seems the process should be:

 

1.  If the organization’s phone number can be found in a QIIS, QGIS, etc., that is sufficient (but use that number to confirm other EV requirements).

 

2. If no number can be found… extra due diligence, including seeing if an alternate number (the mobile number, VOIP, etc.) is posted on the customer’s website, confirming the customer can be reached at the number, asking for a copy of phone bills (which could be faked), and – confirming there is a bank account in the customer’s name (using something stronger than just a copy of a bank statement, which can be faked).

 

One of the main reasons why the EVGL required telephone confirmation was to increase “findability” of the customer in the event of problems or fraud – we wanted to avoid dealing with an EV customer with a shell corporation and a throw away mobile phone.  So if one confirmed contact point goes away (telephone number in public data base), maybe we must substitute another strong contact point, such as bank account which can be opened by a bank only after complying with Know Your Customer rules (which today we only require for companies less than 3 years old, etc.).

 

BTW – I never thought an accountant would be willing to sign an attestation letter re corporate existence, officer, phone number, etc. – just not a part of providing accounting services, at least in the US.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Thursday, June 27, 2013 1:20 PM
To: public at cabforum.org
Subject: [cabfpub] Phone verification issues

 

**Disclaimer: This thread originated on the questions listserv.  Regarding that particular thread, it will be handled by the CA in question.  All identification of the CA and the original sender have been scrubbed from this thread, as I don't know what the policy is regarding making queries to the questions list public.**

 

I agree that this particular case should be left for the particular CA to handle, however it brings up a problem that I encounter on a routine basis and one which I believe we need to address.  It is going to become increasingly difficult to verify phone numbers.  In the developing world it is well understood that they are largely skipping over land lines in favor of mobile phones, VoIP, etc., and even in the developed world mobile phones and VoIP have over-taken land lines in numbers and will very likely continue to do so.  With the adoption of the BRs we have added an out of band verification requirement to OV, which generally means a verification of a phone number for OV as well, though it is not a strict requirement as it is for EV since other out of band methods are still allowed (just not particularly timely or useful IMO).

 

For a snap shot of the mobile vs. land line numbers, I have combined two lists from:

http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use

http://en.wikipedia.org/wiki/List_of_countries_by_number_of_telephone_lines_in_use

into the attached spreadsheet (in Excel and Open Document formats)

 

I don't know exactly what the solution is, but I think we should get a conversation started.

 

Regards,

Rich

 

From: questions-bounces at cabforum.org [mailto:questions-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Thursday, June 27, 2013 2:35 PM
To: questions at cabforum.org
Subject: Re: [cabfquest] EV SLL Verification suggestion

 


On 06/27/2013 09:22 PM, From *name redacted*: 

Below is a problem we ran into and because of which we have a suggestion for change in the EV SSL verification rules. If this is not the proper channel for this type of suggestion please let me know how or where we could make this suggestion,

 

Thank You!

THE PROBLEM

 

We have had an EV SLL Cert issued by *redacted* for the last two years.

 

We are a small startup business that was using our home phone as a business line.  We had the phone forwarded to our cell phone. We found that with our cell phones we never used the home phone, and it was a monthly bill that we could eliminate, so we did. We changed the business number to a Google Voice number that was forwarded (like our home phone) to our cell phone. This provided us with the best solution so that our customers could usually always reach us.

 

Little did we know this would send us down a road that would eventually end up costing us our EV SLL certificate, and we had to revert to a standard SSL.

 

The problem was with the verification rules for the new phone number.  *redacted* was unable to find our small startup business in the directory, and we were unable to provide a bill that showed our new phone number, name of business, and address because Google Voice is a free service and no such bill is provided. 

 

We were asked to provide a Professional Opinion Letter from a CPA or Lawyer - and even though our small business does not employ either, we went to a CPA office and one after another CPA looked at the letter from *redacted* and said they had never seen anything like it and were not about to sign it.  We talked to a total of 3 CPA's. We did not try a lawyer because the cost would have been prohibitive. 

 

SUGGESTIONS FOR SOLUTION

 

First, to verify a phone number, one should be able to call that phone # and see who answers.  This is used by banks and financial institutions, why not for an EV SLL Certificate?

 

The "Professional Opinion Letter" is a complicated solution that costs $$$ for the end users -- I understand and appreciate the need for verification, but this should only be required in the most dire and last resort situations -- I would think if this letter was required then serious thought should be given as to whether the certificate should be issued at all. It certainly should not be required because a phone number changes.

 


I think we let *the CA* deal with this.


Regards 


 


Signer: 

Eddy Nigg, COO/CTO


 

StartCom Ltd. <http://www.startcom.org> 


XMPP: 

startcom at startcom.org


Blog: 

Join the Revolution! <http://blog.startcom.org> 


Twitter: 

Follow Me <http://twitter.com/eddy_nigg> 


 

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130627/6d7b50b9/attachment-0001.html 


More information about the Public mailing list