[cabfpub] Ballot 122 - Verified Method of Communication

Ryan Sleevi sleevi at google.com
Thu May 8 18:18:30 MST 2014


On May 8, 2014 6:05 PM, "Jeremy Rowley" <jeremy.rowley at digicert.com> wrote:
>
> In an age when companies are spread globally and everyone works remote,
> multiple physical existence checks aren't  as important as ensuring the CA
> has a verified and reliable way to communicate with the subscriber about
> certificate requests.

Considering that a significant part of the "extended" verification is
asserting the physical existence of the subscriber, I have to respectfully
disagree here.

> A single check for the address combined with reliable
> communication with the applicant provides a better level of assurance than
> requiring companies to stick with land lines.  I believe the proposed
ballot
> will actually help increase security by permitting CAs to communicate
using
> a Subscriber's preferred method of communication instead of trying to find
> authorization through a general phone number, hoping they are eventually
> reach the correct person.

What are the assurances of extended verification for relying parties under
this justification? What does it matter that the CA has a reliable means to
contact the Subscriber if the RP doesn't?

>
> Because the Guidelines still require a CA to verify the contact info with
a
> QIIS/QGIS (or attorney), what is the "predefined security bar" that CAs
> should meet?  In the working group (and during a couple of face-to-face
> conversations), we believed email, telephone, and postal address all met
> some minimum bar since they are all methods that subscribers use to
> routinely conduct business.  However, we didn't necessarily think that
> skype/VOIP, facebook, twitter, or other methods of communication were
quite
> sufficient.  Since the browsers were the only ones to vote against the
> ballot, is there something specific you want included?
>
> Jeremy
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Kelvin Yiu
> Sent: Thursday, May 8, 2014 3:10 PM
> To: Gervase Markham; ben at digicert.com; public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> I don't disagree with the fact that using a landline telephone number to
> verify physical existence is increasingly irrelevant. However, I vaguely
> recall discussions in the early meetings (before we coined the term EV)
> where we wanted to have 2 data sources to verify physical existence and
the
> landline phone company was considered a good secondary source.
>
> It is entirely possible that information from Q*ISs have gotten so good
that
> we don't need a secondary verification and I just don't know it. I just
> haven't seen any discussion on whether we need to improve the physical
> existence test or whether a physical existence test is still relevant.
>
> To be clear, I have no problems with using mobile phones, Skype/VoIP,
email,
> or whatever the next new thing is to communicate with the applicant, as
long
> as the contact info originate from a Q*IS and the method meets a
predefined
> security bar.
>
> Kelvin
>
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Thursday, May 8, 2014 3:48 AM
> To: ben at digicert.com; Kelvin Yiu; public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> On 07/05/14 22:01, Ben Wilson wrote:
> > I think that when we wrote 11.4.2 we all thought that it would serve
> > well as a "catch all" - doing triple duty for 1- physical address, 2-
> > business operational existence,  and 3 - "to confirm other
> > verification requirements," but I don't think that is still the case
> > for a growing minority of online businesses seeking SSL/TLS
> > certificates.
>
> Having re-reviewed section 11, I think your case is pretty well made. I am
> no longer concerned that this will result in a weakening of the checks of
an
> applicant's physical existence - which is the key check because it
> establishes jurisdiction and it is also the info placed in the cert
itself.
>
> The remaining issue for me is this (also raised by Kelvin): how do we
decide
> what's a good Verified Method of Communication? Which, to me is basically
> the question of how secure from interception (as opposed to
> eavesdropping) do we want a Verified Method of Communication to be?
>
> It's fairly hard for a non-government to intercept and redirect a letter,
or
> a call made from a landline phone to another one. Do we have the same
level
> of confidence about mobile phones, email addresses etc.?
> Perhaps we do. I might even have more confidence that, given a Skype
> nickname, a Skype call to that nickname would connect with its owner than
I
> would have confidence that an email sent to an email address would connect
> with its owner.
>
> We use unencrypted and unauthenticated email for Domain Validation. But is
> that something we want to rely on as our approved mechanism of
communication
> for EV issuance?
>
> I think this merits further discussion. I'm torn what to do now, as voting
> ends today. I think I'll stick with NO, but I would be very open to a
> resubmission of this ballot once we've discussed and addressed this
question
> of what should and shouldn't qualify as a VMC.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140508/4d801784/attachment.html 


More information about the Public mailing list