[cabfpub] Ballot 122 - Verified Method of Communication

[Gervase Markham]

On 09/05/14 13:58, Jeremy Rowley wrote:
> And I agree with Rick's question.  Since Mozilla and Microsoft voted against
> the proposal. I'd be especially interested in hearing what they would
> consider an acceptable alternative to a telephone number.

Sorry not to reply to this before; I think my previous email in the
thread summed up our position well:

"Having re-reviewed section 11, I think your case is pretty well made. I
am no longer concerned that this will result in a weakening of the
checks of an applicant's physical existence - which is the key check
because it establishes jurisdiction and it is also the info placed in
the cert itself.

The remaining issue for me is this (also raised by Kelvin): how do we
decide what's a good Verified Method of Communication? Which, to me is
basically the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?

It's fairly hard for a non-government to intercept and redirect a
letter, or a call made from a landline phone to another one. Do we have
the same level of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype
nickname, a Skype call to that nickname would connect with its owner
than I would have confidence that an email sent to an email address
would connect with its owner.

We use unencrypted and unauthenticated email for Domain Validation. But
is that something we want to rely on as our approved mechanism of
communication for EV issuance?

I think this merits further discussion. I'm torn what to do now, as
voting ends today. I think I'll stick with NO, but I would be very open
to a resubmission of this ballot once we've discussed and addressed this
question of what should and shouldn't qualify as a VMC."

So we should discuss the principles which make something suitable or
otherwise as a VMC.

Gerv