[cabfpub] Proposed motion to modify EV domain verification section

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon May 6 15:55:30 UTC 2013


On 05/06/2013 05:42 PM, From Rich Smith:
> What's more, the EV requirement around domain verification is currently LESS
> SECURE than OV/DV in this regard as it ONLY requires looking at WHOIS.  To
> the best of my knowledge there has never been a case of any mis-issuance of
> a certificate to an unauthorized domain where a technical mechanism was used
> to verify domain authorization.

If anything we should probably require a technical verification *and* a 
human interaction via WHOIS to really improve it.

I'm not sure... if we'd simply rely on technical verification under 
certain circumstances certificates could be issued unintentional and 
then in the EV level. I'm not very comfortable with the thought to 
solemnly rely on a domain control validation.

Also EV certificates should probably identify the entity that stands 
behind the web site (even though the guidelines allow for authorization 
and delegation of sites to a validated entity), it requires either a 
lookup at the WHOIS records and/or web sites involved to confirm that.

> It is also extremely frustrating for a customer who, for example, gets a
> request from us to unmask whois, gets an email sent to a WHOIS contact and
> responds to it, then gets another request that they now have go back in and
> change the WHOIS info because we have found it to not match now that we can
> see it.  From their point of view, the email established that they own the
> domain so we are now just wasting their time.

Yes, probably most of us are aware of the difficulties with that, on the 
other hand it also relays to the parties involved that an EV isn't that 
easy to get. Agreed that your proposal would reduce some of the hassle 
with that and make EV more convenient.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130506/6307f18c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130506/6307f18c/attachment-0001.p7s>


More information about the Public mailing list