[cabfpub] Method of Communication (previously Ballot 122 - Verified Method of Communication)

Jeremy Rowley jeremy.rowley at digicert.com
Thu May 8 16:13:20 UTC 2014

We should discuss this issue on the main list rather than reverting to the
Working Group.   

The methods of communication were chosen for ballot 122 based on what
Subscribers typically use to communicate with a CA about certificate
requests (which is why Skype, facebook, twitter, and others were not
included). Reliability is confirmed by requiring the CA to confirm the
method of communication using a QIIS, QGIS, or attorney opinion letter.  If
we are willing to rely on an unencrypted email (or even WHOIS) for domain
validation, an email address listed in a government repository is probably
equally as reliable. Thoughts?


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Thursday, May 8, 2014 4:48 AM
To: ben at digicert.com; 'Kelvin Yiu'; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

On 07/05/14 22:01, Ben Wilson wrote:
> I think that when we wrote 11.4.2 we all thought that it would serve 
> well as a "catch all" - doing triple duty for 1- physical address, 2- 
> business operational existence,  and 3 - "to confirm other 
> verification requirements," but I don't think that is still the case 
> for a growing minority of online businesses seeking SSL/TLS 
> certificates.

Having re-reviewed section 11, I think your case is pretty well made. I am
no longer concerned that this will result in a weakening of the checks of an
applicant's physical existence - which is the key check because it
establishes jurisdiction and it is also the info placed in the cert itself.

The remaining issue for me is this (also raised by Kelvin): how do we decide
what's a good Verified Method of Communication? Which, to me is basically
the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?

It's fairly hard for a non-government to intercept and redirect a letter, or
a call made from a landline phone to another one. Do we have the same level
of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype
nickname, a Skype call to that nickname would connect with its owner than I
would have confidence that an email sent to an email address would connect
with its owner.

We use unencrypted and unauthenticated email for Domain Validation. But is
that something we want to rely on as our approved mechanism of communication
for EV issuance?

I think this merits further discussion. I'm torn what to do now, as voting
ends today. I think I'll stick with NO, but I would be very open to a
resubmission of this ballot once we've discussed and addressed this question
of what should and shouldn't qualify as a VMC.

Public mailing list
Public at cabforum.org

More information about the Public mailing list