[cabfpub] Proposed motion to modify EV domain verification section

Geoff Keating geoffk at apple.com
Wed May 8 19:38:42 UTC 2013 

On 08/05/2013, at 11:25 am, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:

> 
> On 05/08/2013 07:00 PM, From Rich Smith:
>> My core argument is simply that, with the exception of #7 which, as Jeremy has pointed out, is probably too vague to allow for EV, the other acceptable methods described in the BR are AT LEAST as reliable as looking at WHOIS info (I consider most of them superior) so they should be allowed for EV.
> 
> Before we continue to argue between ourselves I'm very much interested to hear the opinions of the browsers vendors first. Tom, Gerv and of course any others...what do you think?

The impact of the motion is as follows:

1. We are reducing the requirement of "exclusive right to use" the domain to "has control".  That is, we are replacing a check for legitimacy ("right") with simple possession ("has").

2. We are removing the requirement that "the Applicant is aware of its registration or exclusive control of the Domain Name".

3. We are removing the requirement that the WHOIS information is neither "misleading nor inconsistent" when compared to the Subject's information.

I agree that the technical changes to the verification procedures in the motion achieves these things.

I do not think these things are a good idea.

With regard to (1), I think it's the key difference between EV and DV/OV.  The aim is to prevent two kinds of attacks:

- Someone hijacks a domain of a defunct or oblivious company (by, for example, taking over the address space used for its DNS servers, or for that matter physically acquiring the servers) and can prove they have effective control of it, but they aren't the owner.  They still shouldn't get an EV certificate.

- An insider has the ability, but not the right, to change a web site or domain (this is very common in large corporations).  They set up their own company with a similar-looking name and "prove" domain control.

So, I don't support removing (1) from EV.

I think that (2) should be put in the BRs, perhaps with weakened verification methods for non-EV certificates.  Most CA processes should achieve it automatically; the cases where it needs care are those where a large corporation is involved and there's some kind of automated certificate issuance mechanism.

For (3), I don't think we should be the WHOIS police (ICANN is doing that) but I do think that CAs should check that the WHOIS results don't raise any red flags.  So I don't think this provision should be removed, and if someone can think of appropriate language, I'd support putting a weakened version of it in the BRs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130508/ac549eff/attachment-0001.p7s>

More information about the Public mailing list