[cabfpub] Method of Communication (previously Ballot 122 - Verified Method of Communication)
ben at digicert.com
Thu May 8 10:41:40 MST 2014
One idea that came out during the EV call today was to create a list of
communication methods that are acceptable and make it so additional methods
can be added over time. This might not address the issue raised by Gerv,
but could work on that as well, if that is a path we want to go down.
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Thursday, May 08, 2014 10:13 AM
To: 'Gervase Markham'; ben at digicert.com; 'Kelvin Yiu'; public at cabforum.org
Subject: Method of Communication (previously Ballot 122 - Verified Method of
We should discuss this issue on the main list rather than reverting to the
The methods of communication were chosen for ballot 122 based on what
Subscribers typically use to communicate with a CA about certificate
requests (which is why Skype, facebook, twitter, and others were not
included). Reliability is confirmed by requiring the CA to confirm the
method of communication using a QIIS, QGIS, or attorney opinion letter. If
we are willing to rely on an unencrypted email (or even WHOIS) for domain
validation, an email address listed in a government repository is probably
equally as reliable. Thoughts?
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Thursday, May 8, 2014 4:48 AM
To: ben at digicert.com; 'Kelvin Yiu'; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
On 07/05/14 22:01, Ben Wilson wrote:
> I think that when we wrote 11.4.2 we all thought that it would serve
> well as a "catch all" - doing triple duty for 1- physical address, 2-
> business operational existence, and 3 - "to confirm other
> verification requirements," but I don't think that is still the case
> for a growing minority of online businesses seeking SSL/TLS
Having re-reviewed section 11, I think your case is pretty well made. I am
no longer concerned that this will result in a weakening of the checks of an
applicant's physical existence - which is the key check because it
establishes jurisdiction and it is also the info placed in the cert itself.
The remaining issue for me is this (also raised by Kelvin): how do we decide
what's a good Verified Method of Communication? Which, to me is basically
the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?
It's fairly hard for a non-government to intercept and redirect a letter, or
a call made from a landline phone to another one. Do we have the same level
of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype
nickname, a Skype call to that nickname would connect with its owner than I
would have confidence that an email sent to an email address would connect
with its owner.
We use unencrypted and unauthenticated email for Domain Validation. But is
that something we want to rely on as our approved mechanism of communication
for EV issuance?
I think this merits further discussion. I'm torn what to do now, as voting
ends today. I think I'll stick with NO, but I would be very open to a
resubmission of this ballot once we've discussed and addressed this question
of what should and shouldn't qualify as a VMC.
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5453 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140508/27c2f131/attachment.bin
More information about the Public