[cabfpub] Proposed motion to modify EV domain verification section

Jeremy Rowley jeremy.rowley at digicert.com
Tue May 14 23:57:47 UTC 2013 

The situation you described is verified under Section 11.8, not the domain
section.  The domain requirement is to verify the company's knowledge of the
domain, not knowledge of the certificate request.  I think the two sections
are somewhat redundant and neither necessarily prevent someone from getting
an EV certificate in their name and using it for shared web hosting.  Domain
name verification should really be completely separate from obligations
surrounding use of a certificate and verification of the certificate
request.

Jeremy



-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Geoff Keating
Sent: Tuesday, May 14, 2013 4:27 PM
To: Mads Egil Henriksveen
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
section


On 14/05/2013, at 2:39 AM, Mads Egil Henriksveen
<Mads.Henriksveen at buypass.no> wrote:

> I agree with Jeremy in that the awareness requirement and verification of
knowledge (ref {2]) does not add any assurance to the certificate. If an
applicant request for a SSL certificate for a given domain, this indicates
that the applicant has some knowledge of its relation to the domain. And if
this is a common understanding, we should consider remove this from the EV
requirements as well. 

Although it sounds obvious when you think of the Applicant as a person that
if the Applicant requests a certificate they must know what they requested,
the actual situation may be more complicated. For example, in a large
corporation, the employee who is allowed to request certificates may not be
the employee who is allowed to register domain names (and approve them for
certificate issuance).

> The domain verification section of EV (11.6) is quite complex, one example
is 11.6.2 (2) A. In this case, the "exclusive right to use" the domain
requires a confirmation from the registered domain holder AND in addition
some kind of contractual provision (Jeremys wording). I do not understand
the necessity of this last part. 

The contractual provision is so that the Applicant does not agree to allow
someone else to use the name, it confirms 'exclusive'.

I think I was told that the motivation for 'exclusive' is that otherwise an
ISP could get an EV certificate in their name and use it for shared web
hosting (with multiple domain names), which would seem to defeat the purpose
of EV.

[I agree with Ben's comments about the confusion of FQDN vs Domain Name.]

More information about the Public mailing list