[cabfpub] Proposed motion to modify EV domain verification section

Tue May 7 09:03:14 MST 2013

I had been reluctant to eliminate a WhoIs lookup (and match) as the primary method of EV domain confirmation.  My thinking was if the (self-reported) Registrant name is false, then the (self-reported) Admin, Tech, etc. email addresses could also be false, and an email confirmation using those addresses would be no stronger than the Org name in the WhoIs record.  I was also thinking that if the Registrant name for the domain is NOT the same as the Org. being EV vetted – that raises a real question that a CA should want to answer (why don’t they match?).

On the other hand, the good thing about an email confirmation at the EV level using one of the five prefixes or an email address in the WhoIs record is that it moves the Registrant from a passive to an active role.  If the CA just looks at the WhoIs record and doesn’t send a confirming email, the CA could be fooled (the WhoIs record is good, but the customer is pretending the be the (real) party listed in WhoIs – but the customer could never respond to an email sent to the five prefixes or email addresses listed in WhoIs).

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, May 07, 2013 8:06 AM
To: 'Eddy Nigg (StartCom Ltd.)'; public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

Not necessarily.  We are verifying that the self-reported information on WHOIS provides a reasonable connection with the applicant.  After all, 11.6.2 only requires that we obtain “a responses indicating that the applicant…is the entity to which the domain is registered” of that “the domain registrar…forward communication to the registered domain holder”.

However, I think the discussion has strayed somewhat from the original point: if a process provides equal assurances of domain control as the WHOIS, shouldn’t we expand the EV Guidelines to include these methods?   If so, the question is only about which methods provide equivalent assurances.

Jeremy

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Tuesday, May 07, 2013 2:29 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

On 05/07/2013 06:59 AM, From Jeremy Rowley:
I don’t think the WHOIS check provides any insight about the domain’s operator.  Until ICANN requires verification of each domain applicant, the WHOIS information is less reliable (IMO) than several of the verification methods permitted under the baseline requirements.

I think you are making a logical mistake here - we don't rely on the WHOIS records in order to confirm the existence of an entity, we match those details with the by us verified organization details in order to confirm that the entity that was validated appears in the WHOIS records.
Regards

Signer:

Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130507/fdc47950/attachment.html 