[cabfpub] Phone verification issues

Steve Roylance steve.roylance at globalsign.com
Fri Jun 28 02:32:50 MST 2013 

Hi Everyone.

Just to note that in many European Countries the situation is totally
reversed in that Notaries are required to perform due diligence and do check
specific facts if requested.  Whilst the UK is Common Law (like the US) and
unlike most Civil Law European countries
(http://en.wikipedia.org/wiki/File:LegalSystemsOfTheWorldMap.png)  the
notaries here do check everything they are asked to check and are not merely
a third party witness of an event so we need to be careful on amendments
that are not globally consistent.

Kind Regards

 

Steve Roylance

Business Development Director


From:  "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com>
Date:  Thursday, 27 June 2013 22:26
To:  Jeremy Rowley <jeremy.rowley at digicert.com>, "public at cabforum.org"
<public at cabforum.org>
Subject:  Re: [cabfpub] Phone verification issues

Jeremy, the only problem with using notaries is ­ they just verify the Mr.
or Ms. X (who works for the customer) *signed* a document or affidavit.
They do not vouch for the accuracy of any statements in the document, and
they will not be verifying the phone number (VOIP, mobile phone, etc.) of
the customer or the person signing the document.
 
So using a notary won¹t really verify the customer¹s phone number ­ only the
Mr. or Ms. X signed something attesting to the phone number.  Mr. or Ms. X
could also attest to the company¹s state of incorporation, domains, etc. and
have the document notarized ­ but that wouldn¹t really establish any of
those facts either.
 
The idea of an attorney/accountant letter was that those professionals were,
in fact, themselves attesting to the facts (like local registration
authorities) based on their own investigation and knowledge of facts, which
is way stronger than a notarization of the customer¹s own statements.
 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Thursday, June 27, 2013 2:13 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Phone verification issues
 
We could also consider start allowing notaries.  When the EV guidelines were
originally created, verification of notaries was extremely difficult.
However, almost every state now has a public repository of notaries along
with contact information.  Because notary verification reliability has
significantly increased over the last couple of years, we should consider
expanding Verified Letter verification of phone numbers to include notarized
letters based on original documentation.
 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Thursday, June 27, 2013 3:00 PM
To: kirk_hall at trendmicro.com; richard.smith at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] Phone verification issues
 
I agree that this should be the process and would love to see a change in
the EV Guidelines that reflects this.
 

From:public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, June 27, 2013 2:36 PM
To: richard.smith at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] Phone verification issues
 
To state the obvious, it seems the process should be:
 
1.  If the organization¹s phone number can be found in a QIIS, QGIS, etc.,
that is sufficient (but use that number to confirm other EV requirements).
 
2. If no number can be foundŠ extra due diligence, including seeing if an
alternate number (the mobile number, VOIP, etc.) is posted on the customer¹s
website, confirming the customer can be reached at the number, asking for a
copy of phone bills (which could be faked), and ­ confirming there is a bank
account in the customer¹s name (using something stronger than just a copy of
a bank statement, which can be faked).
 
One of the main reasons why the EVGL required telephone confirmation was to
increase ³findability² of the customer in the event of problems or fraud ­
we wanted to avoid dealing with an EV customer with a shell corporation and
a throw away mobile phone.  So if one confirmed contact point goes away
(telephone number in public data base), maybe we must substitute another
strong contact point, such as bank account which can be opened by a bank
only after complying with Know Your Customer rules (which today we only
require for companies less than 3 years old, etc.).
 
BTW ­ I never thought an accountant would be willing to sign an attestation
letter re corporate existence, officer, phone number, etc. ­ just not a part
of providing accounting services, at least in the US.
 

From:public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Thursday, June 27, 2013 1:20 PM
To: public at cabforum.org
Subject: [cabfpub] Phone verification issues
 
**Disclaimer: This thread originated on the questions listserv.  Regarding
that particular thread, it will be handled by the CA in question.  All
identification of the CA and the original sender have been scrubbed from
this thread, as I don't know what the policy is regarding making queries to
the questions list public.**
 
I agree that this particular case should be left for the particular CA to
handle, however it brings up a problem that I encounter on a routine basis
and one which I believe we need to address.  It is going to become
increasingly difficult to verify phone numbers.  In the developing world it
is well understood that they are largely skipping over land lines in favor
of mobile phones, VoIP, etc., and even in the developed world mobile phones
and VoIP have over-taken land lines in numbers and will very likely continue
to do so.  With the adoption of the BRs we have added an out of band
verification requirement to OV, which generally means a verification of a
phone number for OV as well, though it is not a strict requirement as it is
for EV since other out of band methods are still allowed (just not
particularly timely or useful IMO).
 
For a snap shot of the mobile vs. land line numbers, I have combined two
lists from:
http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in
_use
http://en.wikipedia.org/wiki/List_of_countries_by_number_of_telephone_lines_
in_use
into the attached spreadsheet (in Excel and Open Document formats)
 
I don't know exactly what the solution is, but I think we should get a
conversation started.
 
Regards,
Rich
 

From:questions-bounces at cabforum.org [mailto:questions-bounces at cabforum.org]
On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Thursday, June 27, 2013 2:35 PM
To: questions at cabforum.org
Subject: Re: [cabfquest] EV SLL Verification suggestion
 

On 06/27/2013 09:22 PM, From *name redacted*:
Below is a problem we ran into and because of which we have a suggestion for
change in the EV SSL verification rules. If this is not the proper channel
for this type of suggestion please let me know how or where we could make
this suggestion,
 
Thank You!
THE PROBLEM
 
We have had an EV SLL Cert issued by *redacted* for the last two years.
 
We are a small startup business that was using our home phone as a business
line.  We had the phone forwarded to our cell phone. We found that with our
cell phones we never used the home phone, and it was a monthly bill that we
could eliminate, so we did. We changed the business number to a Google Voice
number that was forwarded (like our home phone) to our cell phone. This
provided us with the best solution so that our customers could usually
always reach us.
 
Little did we know this would send us down a road that would eventually end
up costing us our EV SLL certificate, and we had to revert to a standard
SSL.
 
The problem was with the verification rules for the new phone number.
*redacted* was unable to find our small startup business in the directory,
and we were unable to provide a bill that showed our new phone number, name
of business, and address because Google Voice is a free service and no such
bill is provided. 
 
We were asked to provide a Professional Opinion Letter from a CPA or Lawyer
- and even though our small business does not employ either, we went to a
CPA office and one after another CPA looked at the letter from *redacted*
and said they had never seen anything like it and were not about to sign it.
We talked to a total of 3 CPA's. We did not try a lawyer because the cost
would have been prohibitive.
 
SUGGESTIONS FOR SOLUTION
 
First, to verify a phone number, one should be able to call that phone # and
see who answers.  This is used by banks and financial institutions, why not
for an EV SLL Certificate?
 
The "Professional Opinion Letter" is a complicated solution that costs $$$
for the end users -- I understand and appreciate the need for verification,
but this should only be required in the most dire and last resort situations
-- I would think if this letter was required then serious thought should be
given as to whether the certificate should be issued at all. It certainly
should not be required because a phone number changes.
 

I think we let *the CA* deal with this.
Regards 
 
Signer: Eddy Nigg, COO/CTO
 StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
 
 
 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.
 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.
_______________________________________________ Public mailing list
Public at cabforum.org https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130628/5e5b48e1/attachment-0001.html

More information about the Public mailing list