[cabfpub] Proposed motion to modify EV domain verification section

[Geoff Keating]

On 06/05/2013, at 8:56 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:

> I agree with Rich.  I do think the current EV verification process is
> woefully inadequate compared to what is permitted under the baseline
> requirements.  I do not see why a practical demonstration of control over a
> website required an attorney letter while checking the WHOIS doesn't require
> any additional steps.  

My perspective on this is that WHOIS is the canonical statement about who owns a domain.  That is, if you're listed as the administrative contact, you are the domain owner, and if anyone disputes that, it's up to them to get the WHOIS changed.

This is quite different from a practical demonstration of control, which shows that the applicant has the ability to make some change to the domain, but may not have actual authority to make the demonstrated change, and may not have the ability to make other changes.

It's true that the legitimate owner of the domain could put fake information in WHOIS.  This is why we do not allow WHOIS to be a source of the applicant's name or address.  The process is that you validate the applicant's true name and address using other means, and then you compare that validated information against WHOIS, and if it matches then you know that the applicant owns that domain.  With EV the validation of the applicant's true name and address is very strong, and so this whole process provides a strong indication that the applicant does own the domain.

So, I think it's entirely reasonable that for EV, a practical demonstration should require extra checks but verification against WHOIS should end the matter.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130506/adedf97b/attachment-0001.bin