[cabfpub] Ballot 122 - Verified Method of Communication

Thu May 8 14:09:49 MST 2014

I don't disagree with the fact that using a landline telephone number to verify physical existence is increasingly irrelevant. However, I vaguely recall discussions in the early meetings (before we coined the term EV) where we wanted to have 2 data sources to verify physical existence and the landline phone company was considered a good secondary source. 

It is entirely possible that information from Q*ISs have gotten so good that we don't need a secondary verification and I just don't know it. I just haven't seen any discussion on whether we need to improve the physical existence test or whether a physical existence test is still relevant.

To be clear, I have no problems with using mobile phones, Skype/VoIP, email, or whatever the next new thing is to communicate with the applicant, as long as the contact info originate from a Q*IS and the method meets a predefined security bar. 

Kelvin

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, May 8, 2014 3:48 AM
To: ben at digicert.com; Kelvin Yiu; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

On 07/05/14 22:01, Ben Wilson wrote:
> I think that when we wrote 11.4.2 we all thought that it would serve 
> well as a "catch all" - doing triple duty for 1- physical address, 2- 
> business operational existence,  and 3 - "to confirm other 
> verification requirements," but I don't think that is still the case 
> for a growing minority of online businesses seeking SSL/TLS 
> certificates.

Having re-reviewed section 11, I think your case is pretty well made. I am no longer concerned that this will result in a weakening of the checks of an applicant's physical existence - which is the key check because it establishes jurisdiction and it is also the info placed in the cert itself.

The remaining issue for me is this (also raised by Kelvin): how do we decide what's a good Verified Method of Communication? Which, to me is basically the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?

It's fairly hard for a non-government to intercept and redirect a letter, or a call made from a landline phone to another one. Do we have the same level of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype nickname, a Skype call to that nickname would connect with its owner than I would have confidence that an email sent to an email address would connect with its owner.

We use unencrypted and unauthenticated email for Domain Validation. But is that something we want to rely on as our approved mechanism of communication for EV issuance?

I think this merits further discussion. I'm torn what to do now, as voting ends today. I think I'll stick with NO, but I would be very open to a resubmission of this ballot once we've discussed and addressed this question of what should and shouldn't qualify as a VMC.

Gerv