[cabfpub] Ballot 122 - Verified Method of Communication

Gervase Markham gerv at mozilla.org
Thu May 8 03:48:19 MST 2014


On 07/05/14 22:01, Ben Wilson wrote:
> I think that when we wrote 11.4.2 we all thought that it would serve
> well as a "catch all" - doing triple duty for 1- physical address, 2-
> business operational existence,  and 3 - "to confirm other
> verification requirements," but I don't think that is still the case
> for a growing minority of online businesses seeking SSL/TLS
> certificates. 

Having re-reviewed section 11, I think your case is pretty well made. I
am no longer concerned that this will result in a weakening of the
checks of an applicant's physical existence - which is the key check
because it establishes jurisdiction and it is also the info placed in
the cert itself.

The remaining issue for me is this (also raised by Kelvin): how do we
decide what's a good Verified Method of Communication? Which, to me is
basically the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?

It's fairly hard for a non-government to intercept and redirect a
letter, or a call made from a landline phone to another one. Do we have
the same level of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype
nickname, a Skype call to that nickname would connect with its owner
than I would have confidence that an email sent to an email address
would connect with its owner.

We use unencrypted and unauthenticated email for Domain Validation. But
is that something we want to rely on as our approved mechanism of
communication for EV issuance?

I think this merits further discussion. I'm torn what to do now, as
voting ends today. I think I'll stick with NO, but I would be very open
to a resubmission of this ballot once we've discussed and addressed this
question of what should and shouldn't qualify as a VMC.

Gerv


More information about the Public mailing list