[cabfpub] Proposed motion to modify EV domain verification section

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 3 22:07:38 UTC 2013


The EV Guidelines don't require the applicant to be the entity listed in the
WHOIS.  They must either be the registered holder of the domain OR have the
exclusive right to use.  Section 11.6.2 already permits issuance in three or
four (depending on how you count) cases where you aren't the domain holder.


Rich wants to expand this list to match the baseline requirements.  I agree
with him for the most part since several of the mechanisms permitted by the
baseline requirements are at least as good as a WHOIS check.

Jeremy
 
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Friday, May 03, 2013 3:58 PM
To: richard.smith at comodo.com; 'Steve Roylance'; 'Yngve N. Pettersen'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
section

Rich, you make some good points -- but I have a concern about eliminating
the requirement that a domain owner be listed in WhoIs to get an EV upgrade
(or Attestation Letters, etc.).  It's true that WhoIs info is self-reported
-- but presumably only one company can list itself as Registrant in WhoIs,
so it means something.  If the Registrant in WhoIs does NOT match the
Organization name at the EV level -- doesn't that raise a concern (even if
the Organization can respond to an email sent to admin at domain.com)?  It kind
of implies that the Organization being vetted to the EV level does NOT own
the domain (or they would have listed their name there...).

I'd like to think this one through a bit more.  What would be the
justification at the EV level of NOT looking at the WhoIs Registrant name to
see what it says?  (What if the registrant for example.com is Johnny's ISP
Co., and admin at example.com is going to Johnny's ISP and Johnny responds, and
there is never contact with Example, Inc. -- has the domain been validated
to the EV level?) 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Friday, May 03, 2013 8:36 AM
To: 'Steve Roylance'; 'Yngve N. Pettersen'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
section

That's good feedback.  I'm working on a rework of the motion to address the
concerns that have been expressed and will send out a revised motion either
later today or early Monday.

Rich

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Steve Roylance
> Sent: Friday, May 03, 2013 11:22 AM
> To: Yngve N. Pettersen
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Proposed motion to modify EV domain 
> verification section
> 
> Hi Yngve.
> 
> 
> +1 as this makes good sense and preserves the EV security advantages
> but
> allows us to use the BR breadth of alternatives too.  (It also 
> addresses Bruce's concern from his recent post)
> 
> Steve
> 
> On 03/05/2013 13:37, "Yngve N. Pettersen" <yngve at spec-work.net> wrote:
> 
> >On Thu, 02 May 2013 21:22:28 +0200, Eddy Nigg (StartCom Ltd.) 
> ><eddy_nigg at startcom.org> wrote:
> >
> >>
> >> On 05/02/2013 09:16 PM, From Rich Smith:
> >>>
> >>> In the interest of simplifying the EV Guidelines and to allow 
> >>> uniformity of processes where possible I propose the following 
> >>> amendment to the EV Guidelines.  I'm looking for two endorsers.
> >>>
> >>
> >> Do you really consider of these to be sufficient for EV?
> >
> ><snip>
> >
> >Just a general thought: If there is overlap between domain
> verification
> >procedures in the BR and EV, but not complete overlap, with the ones 
> >outside the overlap being insufficient for EV, perhaps the way 
> >forward would be to separate the procedures that are common for EV 
> >and BR out as a separate set of procedures? Then the ones that are 
> >not suitable for EV can be specified in a separate subsection.
> >
> >This would of course require editing the BR, as well as the EV 
> >guidelines, and would likely require a synchronized version release.
> >This would be more complex, but would accomplish what is being 
> >proposed, without reducing the EV security.
> >
> >--
> >Sincerely,
> >Yngve N. Pettersen
> >
> >Using Opera's mail client: http://www.opera.com/mail/ 
> >_______________________________________________
> >Public mailing list
> >Public at cabforum.org
> >https://cabforum.org/mailman/listinfo/public
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.
</pre></td></tr></table>

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list