[cabfpub] Proposed motion to modify EV domain verification section

Jeremy Rowley jeremy.rowley at digicert.com
Mon May 6 20:56:48 MST 2013


I agree with Rich.  I do think the current EV verification process is
woefully inadequate compared to what is permitted under the baseline
requirements.  I do not see why a practical demonstration of control over a
website required an attorney letter while checking the WHOIS doesn't require
any additional steps.  

Jeremy

-----Original Message-----
From: Rich Smith [mailto:richard.smith at comodo.com] 
Sent: Monday, May 06, 2013 8:43 AM
To: kirk_hall at trendmicro.com; jeremy.rowley at digicert.com; 'Steve Roylance';
'Yngve N. Pettersen'
Cc: public at cabforum.org
Subject: RE: [cabfpub] Proposed motion to modify EV domain verification
section

The Extended Validation in EV is about the identity of the Applicant, and
the controls around that are neither weakened, nor strengthened with the
current EV domain verification requirements, or by my proposed changes.  

What's more, the EV requirement around domain verification is currently LESS
SECURE than OV/DV in this regard as it ONLY requires looking at WHOIS.  To
the best of my knowledge there has never been a case of any mis-issuance of
a certificate to an unauthorized domain where a technical mechanism was used
to verify domain authorization.

By technical mechanism I mean;
1) Response to an email sent to the WHOIS contact or one of the 5 acceptable
admin type addresses, OR;
2) An agreed upon change to the web site itself or to the DNS, OR;
3) Another mechanism technically equivalent to the above (I don't know of
other mechanisms, but other CAs may have come up with something).

The same cannot be said when just looking at WHOIS info.  For EV, currently,
any technical method imposed is solely at the discretion of the CA, and is,
from the standpoint of the Guidelines, a wasted step for the customer to go
through because it is neither required nor even permitted in absence of
matching WHOIS info.  In other words, as waste of time (from the customer's
perspective) to require it.

It is also extremely frustrating for a customer who, for example, gets a
request from us to unmask whois, gets an email sent to a WHOIS contact and
responds to it, then gets another request that they now have go back in and
change the WHOIS info because we have found it to not match now that we can
see it.  From their point of view, the email established that they own the
domain so we are now just wasting their time.

In addition many domain registrars make it very difficult and confusing to
update that information.  The customers don't complain to the registrar,
they complain to us.  At least we're their first point of complaint.  And
since I agree with them that we are wasting their time, I don't have much to
say to them to alleviate their frustration.

Rich

> -----Original Message-----
> From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com]
> Sent: Friday, May 03, 2013 7:12 PM
> To: jeremy.rowley at digicert.com; richard.smith at comodo.com; 'Steve
> Roylance'; 'Yngve N. Pettersen'
> Cc: public at cabforum.org
> Subject: RE: [cabfpub] Proposed motion to modify EV domain verification
> section
> 
> I don't believe you can establish an EV Organization has the exclusive
> right to use a domain (at the EV level) simply by getting a response
> from someone to an email sent to admin@, etc.  In that sense, EV
> vetting of domains would be no stronger than DV or OV.
> 
> -----Original Message-----
> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
> Sent: Friday, May 03, 2013 3:08 PM
> To: Kirk Hall (RD-US); richard.smith at comodo.com; 'Steve Roylance';
> 'Yngve N. Pettersen'
> Cc: public at cabforum.org
> Subject: RE: [cabfpub] Proposed motion to modify EV domain verification
> section
> 
> The EV Guidelines don't require the applicant to be the entity listed
> in the WHOIS.  They must either be the registered holder of the domain
> OR have the exclusive right to use.  Section 11.6.2 already permits
> issuance in three or four (depending on how you count) cases where you
> aren't the domain holder.
> 
> 
> Rich wants to expand this list to match the baseline requirements.  I
> agree with him for the most part since several of the mechanisms
> permitted by the baseline requirements are at least as good as a WHOIS
> check.
> 
> Jeremy
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of kirk_hall at trendmicro.com
> Sent: Friday, May 03, 2013 3:58 PM
> To: richard.smith at comodo.com; 'Steve Roylance'; 'Yngve N. Pettersen'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
> section
> 
> Rich, you make some good points -- but I have a concern about
> eliminating the requirement that a domain owner be listed in WhoIs to
> get an EV upgrade (or Attestation Letters, etc.).  It's true that WhoIs
> info is self-reported
> -- but presumably only one company can list itself as Registrant in
> WhoIs, so it means something.  If the Registrant in WhoIs does NOT
> match the Organization name at the EV level -- doesn't that raise a
> concern (even if the Organization can respond to an email sent to
> admin at domain.com)?  It kind of implies that the Organization being
> vetted to the EV level does NOT own the domain (or they would have
> listed their name there...).
> 
> I'd like to think this one through a bit more.  What would be the
> justification at the EV level of NOT looking at the WhoIs Registrant
> name to see what it says?  (What if the registrant for example.com is
> Johnny's ISP Co., and admin at example.com is going to Johnny's ISP and
> Johnny responds, and there is never contact with Example, Inc. -- has
> the domain been validated to the EV level?)
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Rich Smith
> Sent: Friday, May 03, 2013 8:36 AM
> To: 'Steve Roylance'; 'Yngve N. Pettersen'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
> section
> 
> That's good feedback.  I'm working on a rework of the motion to address
> the concerns that have been expressed and will send out a revised
> motion either later today or early Monday.
> 
> Rich
> 
> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-
> bounces at cabforum.org]
> > On Behalf Of Steve Roylance
> > Sent: Friday, May 03, 2013 11:22 AM
> > To: Yngve N. Pettersen
> > Cc: public at cabforum.org
> > Subject: Re: [cabfpub] Proposed motion to modify EV domain
> > verification section
> >
> > Hi Yngve.
> >
> >
> > +1 as this makes good sense and preserves the EV security advantages
> > but
> > allows us to use the BR breadth of alternatives too.  (It also
> > addresses Bruce's concern from his recent post)
> >
> > Steve
> >
> > On 03/05/2013 13:37, "Yngve N. Pettersen" <yngve at spec-work.net>
> wrote:
> >
> > >On Thu, 02 May 2013 21:22:28 +0200, Eddy Nigg (StartCom Ltd.)
> > ><eddy_nigg at startcom.org> wrote:
> > >
> > >>
> > >> On 05/02/2013 09:16 PM, From Rich Smith:
> > >>>
> > >>> In the interest of simplifying the EV Guidelines and to allow
> > >>> uniformity of processes where possible I propose the following
> > >>> amendment to the EV Guidelines.  I'm looking for two endorsers.
> > >>>
> > >>
> > >> Do you really consider of these to be sufficient for EV?
> > >
> > ><snip>
> > >
> > >Just a general thought: If there is overlap between domain
> > verification
> > >procedures in the BR and EV, but not complete overlap, with the ones
> > >outside the overlap being insufficient for EV, perhaps the way
> > >forward would be to separate the procedures that are common for EV
> > >and BR out as a separate set of procedures? Then the ones that are
> > >not suitable for EV can be specified in a separate subsection.
> > >
> > >This would of course require editing the BR, as well as the EV
> > >guidelines, and would likely require a synchronized version release.
> > >This would be more complex, but would accomplish what is being
> > >proposed, without reducing the EV security.
> > >
> > >--
> > >Sincerely,
> > >Yngve N. Pettersen
> > >
> > >Using Opera's mail client: http://www.opera.com/mail/
> > >_______________________________________________
> > >Public mailing list
> > >Public at cabforum.org
> > >https://cabforum.org/mailman/listinfo/public
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is
> confidential and may be subject to copyright or other intellectual
> property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply
> mail or telephone and delete the original message from your mail
> system.
> </pre></td></tr></table>
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is
> confidential and may be subject to copyright or other intellectual
> property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply
> mail or telephone and delete the original message from your mail
> system.
> </pre></td></tr></table>




More information about the Public mailing list