[cabfpub] Proposed motion to modify EV domain verification section

Rich Smith richard.smith at comodo.com
Fri May 3 05:19:07 MST 2013


I'm not saying that looking at the WHOIS info should be disallowed or even
discouraged, but IMO it is the least effective of the methods outlined in
the BR for establishing domain control, and it's basically the only method
allowed for EV.  An email sent to a WHOIS contact or one of the 5 accepted
admin addresses, or having the applicant make an agreed upon change to the
web site or DNS are far more effective and secure methods of establishing
domain control, and yet those methods are currently not allowed for EV.  You
can make the applicant do them, as from Eddy's response it appears that he
does, but the only currently acceptable method for EV is looking at WHOIS.
My goal with this motion is to allow the other methods outlined in the BR to
be used because I consider those methods as more secure than looking at
unverified WHOIS information.

Rich

> -----Original Message-----
> From: Geoff Keating [mailto:geoffk at apple.com]
> Sent: Thursday, May 02, 2013 4:34 PM
> To: richard.smith at comodo.com
> Cc: 'Eddy Nigg (StartCom Ltd.)'; public at cabforum.org
> Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
> section
> 
> 
> On 02/05/2013, at 12:59 PM, Rich Smith <richard.smith at comodo.com>
> wrote:
> 
> > Eddy,
> > I absolutely consider the methods you quoted far more sufficient than
> simply looking at WHOIS information.  It is well known that the domain
> registrars, with a few possible exceptions, do absolutely no vetting of
> the information contained in WHOIS so just looking at WHOIS for
> MYFAKEMICROSOFT.COM and seeing Microsoft's name and address in the
> Registrant details is completely useless as any kind of actual
> verification of anything except that the actual domain owner knows how
> to look up a company's address.
> 
> I believe the point of looking at whois information is that if you
> already know you're talking to Microsoft, because you've verified that,
> and the whois information says the domain is owned by Microsoft, then
> you've verified domain control.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7557 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130503/4085d36a/attachment-0001.bin 


More information about the Public mailing list