[cabfpub] Proposed motion to modify EV domain verification section

Geoff Keating geoffk at apple.com
Tue May 14 22:26:58 UTC 2013


On 14/05/2013, at 2:39 AM, Mads Egil Henriksveen <Mads.Henriksveen at buypass.no> wrote:

> I agree with Jeremy in that the awareness requirement and verification of knowledge (ref {2]) does not add any assurance to the certificate. If an applicant request for a SSL certificate for a given domain, this indicates that the applicant has some knowledge of its relation to the domain. And if this is a common understanding, we should consider remove this from the EV requirements as well. 

Although it sounds obvious when you think of the Applicant as a person that if the Applicant requests a certificate they must know what they requested, the actual situation may be more complicated. For example, in a large corporation, the employee who is allowed to request certificates may not be the employee who is allowed to register domain names (and approve them for certificate issuance).

> The domain verification section of EV (11.6) is quite complex, one example is 11.6.2 (2) A. In this case, the "exclusive right to use" the domain requires a confirmation from the registered domain holder AND in addition some kind of contractual provision (Jeremys wording). I do not understand the necessity of this last part. 

The contractual provision is so that the Applicant does not agree to allow someone else to use the name, it confirms 'exclusive'.

I think I was told that the motivation for 'exclusive' is that otherwise an ISP could get an EV certificate in their name and use it for shared web hosting (with multiple domain names), which would seem to defeat the purpose of EV.

[I agree with Ben's comments about the confusion of FQDN vs Domain Name.]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130514/a2358ebc/attachment-0001.p7s>


More information about the Public mailing list