[cabfpub] Phone verification issues

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Jun 27 14:26:43 MST 2013


Jeremy, the only problem with using notaries is – they just verify the Mr. or Ms. X (who works for the customer) *signed* a document or affidavit.  They do not vouch for the accuracy of any statements in the document, and they will not be verifying the phone number (VOIP, mobile phone, etc.) of the customer or the person signing the document.

So using a notary won’t really verify the customer’s phone number – only the Mr. or Ms. X signed something attesting to the phone number.  Mr. or Ms. X could also attest to the company’s state of incorporation, domains, etc. and have the document notarized – but that wouldn’t really establish any of those facts either.

The idea of an attorney/accountant letter was that those professionals were, in fact, themselves attesting to the facts (like local registration authorities) based on their own investigation and knowledge of facts, which is way stronger than a notarization of the customer’s own statements.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, June 27, 2013 2:13 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Phone verification issues

We could also consider start allowing notaries.  When the EV guidelines were originally created, verification of notaries was extremely difficult.  However, almost every state now has a public repository of notaries along with contact information.  Because notary verification reliability has significantly increased over the last couple of years, we should consider expanding Verified Letter verification of phone numbers to include notarized letters based on original documentation.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, June 27, 2013 3:00 PM
To: kirk_hall at trendmicro.com; richard.smith at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] Phone verification issues

I agree that this should be the process and would love to see a change in the EV Guidelines that reflects this.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Sent: Thursday, June 27, 2013 2:36 PM
To: richard.smith at comodo.com<mailto:richard.smith at comodo.com>; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Phone verification issues

To state the obvious, it seems the process should be:

1.  If the organization’s phone number can be found in a QIIS, QGIS, etc., that is sufficient (but use that number to confirm other EV requirements).

2. If no number can be found… extra due diligence, including seeing if an alternate number (the mobile number, VOIP, etc.) is posted on the customer’s website, confirming the customer can be reached at the number, asking for a copy of phone bills (which could be faked), and – confirming there is a bank account in the customer’s name (using something stronger than just a copy of a bank statement, which can be faked).

One of the main reasons why the EVGL required telephone confirmation was to increase “findability” of the customer in the event of problems or fraud – we wanted to avoid dealing with an EV customer with a shell corporation and a throw away mobile phone.  So if one confirmed contact point goes away (telephone number in public data base), maybe we must substitute another strong contact point, such as bank account which can be opened by a bank only after complying with Know Your Customer rules (which today we only require for companies less than 3 years old, etc.).

BTW – I never thought an accountant would be willing to sign an attestation letter re corporate existence, officer, phone number, etc. – just not a part of providing accounting services, at least in the US.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Thursday, June 27, 2013 1:20 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Phone verification issues

**Disclaimer: This thread originated on the questions listserv.  Regarding that particular thread, it will be handled by the CA in question.  All identification of the CA and the original sender have been scrubbed from this thread, as I don't know what the policy is regarding making queries to the questions list public.**

I agree that this particular case should be left for the particular CA to handle, however it brings up a problem that I encounter on a routine basis and one which I believe we need to address.  It is going to become increasingly difficult to verify phone numbers.  In the developing world it is well understood that they are largely skipping over land lines in favor of mobile phones, VoIP, etc., and even in the developed world mobile phones and VoIP have over-taken land lines in numbers and will very likely continue to do so.  With the adoption of the BRs we have added an out of band verification requirement to OV, which generally means a verification of a phone number for OV as well, though it is not a strict requirement as it is for EV since other out of band methods are still allowed (just not particularly timely or useful IMO).

For a snap shot of the mobile vs. land line numbers, I have combined two lists from:
http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use
http://en.wikipedia.org/wiki/List_of_countries_by_number_of_telephone_lines_in_use
into the attached spreadsheet (in Excel and Open Document formats)

I don't know exactly what the solution is, but I think we should get a conversation started.

Regards,
Rich

From: questions-bounces at cabforum.org<mailto:questions-bounces at cabforum.org> [mailto:questions-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Thursday, June 27, 2013 2:35 PM
To: questions at cabforum.org<mailto:questions at cabforum.org>
Subject: Re: [cabfquest] EV SLL Verification suggestion


On 06/27/2013 09:22 PM, From *name redacted*:

Below is a problem we ran into and because of which we have a suggestion for change in the EV SSL verification rules. If this is not the proper channel for this type of suggestion please let me know how or where we could make this suggestion,



Thank You!

THE PROBLEM



We have had an EV SLL Cert issued by *redacted* for the last two years.



We are a small startup business that was using our home phone as a business line.  We had the phone forwarded to our cell phone. We found that with our cell phones we never used the home phone, and it was a monthly bill that we could eliminate, so we did. We changed the business number to a Google Voice number that was forwarded (like our home phone) to our cell phone. This provided us with the best solution so that our customers could usually always reach us.



Little did we know this would send us down a road that would eventually end up costing us our EV SLL certificate, and we had to revert to a standard SSL.



The problem was with the verification rules for the new phone number.  *redacted* was unable to find our small startup business in the directory, and we were unable to provide a bill that showed our new phone number, name of business, and address because Google Voice is a free service and no such bill is provided.



We were asked to provide a Professional Opinion Letter from a CPA or Lawyer - and even though our small business does not employ either, we went to a CPA office and one after another CPA looked at the letter from *redacted* and said they had never seen anything like it and were not about to sign it.  We talked to a total of 3 CPA's. We did not try a lawyer because the cost would have been prohibitive.



SUGGESTIONS FOR SOLUTION



First, to verify a phone number, one should be able to call that phone # and see who answers.  This is used by banks and financial institutions, why not for an EV SLL Certificate?



The "Professional Opinion Letter" is a complicated solution that costs $$$ for the end users -- I understand and appreciate the need for verification, but this should only be required in the most dire and last resort situations -- I would think if this letter was required then serious thought should be given as to whether the certificate should be issued at all. It certainly should not be required because a phone number changes.



I think we let *the CA* deal with this.
Regards



Signer:

Eddy Nigg, COO/CTO



StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>







TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130627/a5e6735c/attachment-0001.html 


More information about the Public mailing list