[cabfpub] Proposed motion to modify EV domain verification section

Jeremy Rowley jeremy.rowley at digicert.com
Mon May 6 21:40:19 MST 2013


I recognize that there is a self-reporting requirement and that SSAC Report #58 released this year has some recommendations that, if adopted, will greatly improve the WHOIS contents.  Considering the large number of WHOIS listings that are incorrect and that self-reported data is not permitted under EV, I think other verification requirements are more effective at determining the controller/owner of the website.

 

I think looking at what registrars do is a good way to expand the domain validation scope. However, I think the Forum already has several effective methods of verifying domain names in the BRs, and I do not see the harm in permitting these same procedures for EV.

 

Jeremy

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Hurst
Sent: Monday, May 06, 2013 10:23 PM
To: jeremy.rowley at digicert.com; 'Eddy Nigg (StartCom Ltd.)'; public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

 

Since 2003 ICANN has required the information to be validated yearly - http://www.icann.org/en/resources/registrars/consensus-policies/wdrp the policy was poorly written, did not consider global privacy requirements and is not enforced but it is at least mandated; http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/ 

 

I understand one of the key reasons of non-enforcement is that ICANN feels they do not have the teeth to do so in the existing contracts with registrars.

 

I also understand that they have addressed this contractual teeth issue with the gTLD contracts.

 

As we look at this topic I believe it is best to consider both what registrars are required to do and build mitigations based on what they truly do.

 

Ryan

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Monday, May 06, 2013 9:00 PM
To: 'Eddy Nigg (StartCom Ltd.)'; public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

 

We do require a human interaction (and that won’t change) when we verify the certificate requester.  However, that is separate from domain verification.  Considering that WHOIS information is essentially non-verified information, I don’t think the WHOIS check provides any insight about the domain’s operator.  Until ICANN requires verification of each domain applicant, the WHOIS information is less reliable (IMO) than several of the verification methods permitted under the baseline requirements.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Monday, May 06, 2013 9:56 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

 


On 05/06/2013 05:42 PM, From Rich Smith: 

What's more, the EV requirement around domain verification is currently LESS
SECURE than OV/DV in this regard as it ONLY requires looking at WHOIS.  To
the best of my knowledge there has never been a case of any mis-issuance of
a certificate to an unauthorized domain where a technical mechanism was used
to verify domain authorization.


If anything we should probably require a technical verification and a human interaction via WHOIS to really improve it.

I'm not sure... if we'd simply rely on technical verification under certain circumstances certificates could be issued unintentional and then in the EV level. I'm not very comfortable with the thought to solemnly rely on a domain control validation. 

Also EV certificates should probably identify the entity that stands behind the web site (even though the guidelines allow for authorization and delegation of sites to a validated entity), it requires either a lookup at the WHOIS records and/or web sites involved to confirm that.

It is also extremely frustrating for a customer who, for example, gets a
request from us to unmask whois, gets an email sent to a WHOIS contact and
responds to it, then gets another request that they now have go back in and
change the WHOIS info because we have found it to not match now that we can
see it.  From their point of view, the email established that they own the
domain so we are now just wasting their time.


Yes, probably most of us are aware of the difficulties with that, on the other hand it also relays to the parties involved that an EV isn't that easy to get. Agreed that your proposal would reduce some of the hassle with that and make EV more convenient.


Regards 


 


Signer: 

Eddy Nigg, COO/CTO


 

StartCom Ltd. <http://www.startcom.org> 


XMPP: 

startcom at startcom.org


Blog: 

Join the Revolution! <http://blog.startcom.org> 


Twitter: 

Follow Me <http://twitter.com/eddy_nigg> 


 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130506/bbb5a3e7/attachment.html 


More information about the Public mailing list