[cabfpub] Proposed motion to modify EV domain verification section

Wed May 8 21:01:06 UTC 2013

1. We are reducing the requirement of "exclusive right to use" the domain to
"has control".  That is, we are replacing a check for legitimacy ("right")
with simple possession ("has").

[JR] I do not think the requirements require a true verification of an
exclusive right since Section 11.6.2(A) permits a representation from WHOIS
combined with a contractual provision and Section 11.6.2(B) permits
verification of exclusivity using a practical demonstration of control
combined with an accountant letter.

2. We are removing the requirement that "the Applicant is aware of its
registration or exclusive control of the Domain Name".

[JR] Considering verification of awareness is permitted by a contract
representation (see 11.6.2(3)(B)), I don't there is a much of a change.  We
can certainly retain this representation requirement in the EVs. 

3. We are removing the requirement that the WHOIS information is neither
"misleading nor inconsistent" when compared to the Subject's information.

[JR] I believe we should keep this as a minimum requirement before moving
onto other methods of verification.  There should always be a requirement to
check the WHOIS before proceeding with other types of verification.

With regard to (1), I think it's the key difference between EV and DV/OV.
The aim is to prevent two kinds of attacks:

- Someone hijacks a domain of a defunct or oblivious company (by, for
example, taking over the address space used for its DNS servers, or for that
matter physically acquiring the servers) and can prove they have effective
control of it, but they aren't the owner.  They still shouldn't get an EV
certificate.

[JR] They can if they have an accountant letter that says they have a right
to use the domain.

- An insider has the ability, but not the right, to change a web site or
domain (this is very common in large corporations).  They set up their own
company with a similar-looking name and "prove" domain control.

[JR] Still possible provided you have an accountant letter on file.

So, I don't support removing (1) from EV.

I think that (2) should be put in the BRs, perhaps with weakened
verification methods for non-EV certificates.  Most CA processes should
achieve it automatically; the cases where it needs care are those where a
large corporation is involved and there's some kind of automated certificate
issuance mechanism.

[JR] I disagree.  I don't think verification of knowledge does anything
other than add a step in an already complicated process.  I do not think it
adds any assurances to the certificate.

For (3), I don't think we should be the WHOIS police (ICANN is doing that)
but I do think that CAs should check that the WHOIS results don't raise any
red flags.  So I don't think this provision should be removed, and if
someone can think of appropriate language, I'd support putting a weakened
version of it in the BRs.

[JR] I agree.  I think a WHOIS check should always be a first step in
validating EV certs.