[cabfpub] Proposed motion to modify EV domain verification section

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri May 3 23:11:53 UTC 2013


I don't believe you can establish an EV Organization has the exclusive right to use a domain (at the EV level) simply by getting a response from someone to an email sent to admin@, etc.  In that sense, EV vetting of domains would be no stronger than DV or OV.

-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Friday, May 03, 2013 3:08 PM
To: Kirk Hall (RD-US); richard.smith at comodo.com; 'Steve Roylance'; 'Yngve N. Pettersen'
Cc: public at cabforum.org
Subject: RE: [cabfpub] Proposed motion to modify EV domain verification section

The EV Guidelines don't require the applicant to be the entity listed in the WHOIS.  They must either be the registered holder of the domain OR have the exclusive right to use.  Section 11.6.2 already permits issuance in three or four (depending on how you count) cases where you aren't the domain holder.


Rich wants to expand this list to match the baseline requirements.  I agree with him for the most part since several of the mechanisms permitted by the baseline requirements are at least as good as a WHOIS check.

Jeremy
 
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Friday, May 03, 2013 3:58 PM
To: richard.smith at comodo.com; 'Steve Roylance'; 'Yngve N. Pettersen'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

Rich, you make some good points -- but I have a concern about eliminating the requirement that a domain owner be listed in WhoIs to get an EV upgrade (or Attestation Letters, etc.).  It's true that WhoIs info is self-reported
-- but presumably only one company can list itself as Registrant in WhoIs, so it means something.  If the Registrant in WhoIs does NOT match the Organization name at the EV level -- doesn't that raise a concern (even if the Organization can respond to an email sent to admin at domain.com)?  It kind of implies that the Organization being vetted to the EV level does NOT own the domain (or they would have listed their name there...).

I'd like to think this one through a bit more.  What would be the justification at the EV level of NOT looking at the WhoIs Registrant name to see what it says?  (What if the registrant for example.com is Johnny's ISP Co., and admin at example.com is going to Johnny's ISP and Johnny responds, and there is never contact with Example, Inc. -- has the domain been validated to the EV level?) 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Friday, May 03, 2013 8:36 AM
To: 'Steve Roylance'; 'Yngve N. Pettersen'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

That's good feedback.  I'm working on a rework of the motion to address the concerns that have been expressed and will send out a revised motion either later today or early Monday.

Rich

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Steve Roylance
> Sent: Friday, May 03, 2013 11:22 AM
> To: Yngve N. Pettersen
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Proposed motion to modify EV domain 
> verification section
> 
> Hi Yngve.
> 
> 
> +1 as this makes good sense and preserves the EV security advantages
> but
> allows us to use the BR breadth of alternatives too.  (It also 
> addresses Bruce's concern from his recent post)
> 
> Steve
> 
> On 03/05/2013 13:37, "Yngve N. Pettersen" <yngve at spec-work.net> wrote:
> 
> >On Thu, 02 May 2013 21:22:28 +0200, Eddy Nigg (StartCom Ltd.) 
> ><eddy_nigg at startcom.org> wrote:
> >
> >>
> >> On 05/02/2013 09:16 PM, From Rich Smith:
> >>>
> >>> In the interest of simplifying the EV Guidelines and to allow 
> >>> uniformity of processes where possible I propose the following 
> >>> amendment to the EV Guidelines.  I'm looking for two endorsers.
> >>>
> >>
> >> Do you really consider of these to be sufficient for EV?
> >
> ><snip>
> >
> >Just a general thought: If there is overlap between domain
> verification
> >procedures in the BR and EV, but not complete overlap, with the ones 
> >outside the overlap being insufficient for EV, perhaps the way 
> >forward would be to separate the procedures that are common for EV 
> >and BR out as a separate set of procedures? Then the ones that are 
> >not suitable for EV can be specified in a separate subsection.
> >
> >This would of course require editing the BR, as well as the EV 
> >guidelines, and would likely require a synchronized version release.
> >This would be more complex, but would accomplish what is being 
> >proposed, without reducing the EV security.
> >
> >--
> >Sincerely,
> >Yngve N. Pettersen
> >
> >Using Opera's mail client: http://www.opera.com/mail/ 
> >_______________________________________________
> >Public mailing list
> >Public at cabforum.org
> >https://cabforum.org/mailman/listinfo/public
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
</pre></td></tr></table>

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>




More information about the Public mailing list