[cabfpub] Proposed motion to modify EV domain verification section
ben at digicert.com
Wed May 15 17:47:58 UTC 2013
On Wednesday, May 15, 2013 1:47 AM, Eddy Nigg (StartCom Ltd.) wrote:
>For years the exclusive right and proper authorization was part of the landscape of EV.
>If this proposal would be adopted we probably will abandon non-EV
>organization validated certificates and move them all over to EV (for
>the better or worse). But then we probably should remove the "Extended"
>from "Extended Validation" because it clearly wouldn't be that anymore.
Domain registration, control, etc., and proper authorization will still be a part of EV. The issue is more about consistency between the Baseline Requirements and the EV Guidelines in one small part of the process. If there is a deficiency that makes anyone think that an EV certificate would no longer be considered "extended," then they should point that out, explain why, and then it should be discussed. In other words, what are the processes currently in use to perform the basic first steps of domain validation for DV, OV, and EV? There is no doubt that EV has additional steps over DV and OV, but the latter should be a clear subset of the former. If it is unclear that EV is superior to the Baseline Requirements, if because, for example additional EV steps are not described in a location adjacent to domain validation within the document, then that should be fixed.
My position is that we should still eliminate the word "exclusive" because "exclusive right" is confusing to most people. "Exclusive right" is merely a legalism used to describe the legalities (property "ownership" framework) of what a domain registration is and is not. This is commonly expressed as follows, "registration does not confer any legal ownership of the domain name, only an exclusive right of use." It's use in Section 11.6.2(2) is just a placeholder for the concept of domain ownership, to address the fact that a registrant can delegate control over portions of its assigned domain namespace to third parties. I don't think the Baseline Requirements or the EV Guidelines allow anyone to circumvent the steps of confirming the name of the domain registrant, and if the named organization is different, a verification of some form of delegation (legal or technical) to the named entity from the registrant. EV adds on additional steps in section 11.6.2(3) that requires the CA to confirm that the named Applicant has knowledge and is aware of the domain registration and the certificate request. This is somewhat redundant with sections 11.7.2 and 11.7.3, which require the CA to independently verify the name, title, agency, and authority of the Contract Signer and Certificate Approver.
I don't think anyone is suggesting that the threshold or assurance level be dropped, only that the language be simplified and harmonized.
I also disagree with the argument that convergence of EV into OV is imminent. EV has its own, well-established procedures, vetting criteria, and framework. That's not to say that those obtaining OV won't merge into EV in the long term, but I don't see anyone scrambling currently to do the work that would effectuate that merger, in either direction.
More information about the Public