[cabfpub] Ballot 122 - Verified Method of Communication
gerv at mozilla.org
Fri May 9 01:59:32 MST 2014
On 09/05/14 02:18, Ryan Sleevi wrote:
> Considering that a significant part of the "extended" verification is
> asserting the physical existence of the subscriber, I have to
> respectfully disagree here.
I think this is the heart of the question of whether this change, in
principle, is reasonable (that's as opposed to smaller discussions about
appropriate comms methods).
In today's world, does the phone number check add significantly to the
certitude the CA has about the physical existence of the subscriber at
the address from the QIS? If not, then this ballot is OK. If it does,
then how do we replace that additional certitude, for companies who
don't have a landline? Are they inherently more fly-by-night, or do we
just need to find different ways of acquiring that certitude. If we need
to find those ways, let's find them and implement them in the same move
as relaxing this requirement.
> What are the assurances of extended verification for relying parties
> under this justification? What does it matter that the CA has a reliable
> means to contact the Subscriber if the RP doesn't?
As someone else pointed out, this phone number is not put in the cert,
so the RP is no worse off. Phone numbers are also reasonably ephemeral
today, even land lines. A registered physical place of business seems to
me to be the correct way to "nail down" a particular company.
More information about the Public