[cabfpub] Ballot 122 - Verified Method of Communication

Ben Wilson ben at digicert.com
Wed May 7 21:01:42 UTC 2014 

Gerv and Kelvin,

I understand your desire not to diminish the meaning of EV indications provided by browsers.   

As Gerv pointed out, the current version of section 11.4.2 of EV Guidelines states as its purpose to "further verify" a physical location.  However, in proposing the new language for section 11.4.2, in the ballot we recognized a desire to maintain that same assurance but changed the stated purpose by restating it "to assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance."  

This is still in line with current EV standards, and also with the "alternative communication channel" language in section 7 of the Mozilla Inclusion policy, which states, "... verification of certificate signing requests [are] acceptable [where] ... information that is supplied by the certificate subscriber must be verified by using an independent source of information or an alternative communication channel before it is included in the certificate."

We thought that it was no longer necessary or effective under the current 11.4.2 to double-verify the address to be put in the certificate because other checks in the EV process exist.   I believe the "real" purpose for 11.4.2 was risk mitigation, because 11.4.1 is the key provision for verifying someone's physical address -- section 9.2.7 says that the verified address of the physical location of the Subject’s Place of Business is put in the certificate, not the phone number.
  
I think that when we wrote 11.4.2 we all thought that it would serve well as a "catch all" - doing triple duty for 1- physical address, 2- business operational existence,  and 3 - "to confirm other verification requirements," but I don't think that is still the case for a growing minority of online businesses seeking SSL/TLS certificates.  
We could change the ballot language to expand the scope of purpose beyond mere "reliable communication," but it appears you are looking for "extra" things-- I don't think we need any "big" changes to the ballot for it to pass muster.  

The first point of my argument would be that 11.4.2(1) is a mandatory requirement - the CA has to perform a task and check it off and record performance of it for audit purposes.

Second, the step required by 11.4.2 is not just to set up a trusted communication channel, but also to "confirm that the Applicant is aware of and approves issuance."  Interestingly, the original EV language was "that Applicant is aware of its registration or exclusive control of the domain name."  The logic behind that language was that we were trying to prevent typosquatters and phishers from registering (through a weak registrar process) and obtaining an EV certificate as "Mozilla Foundation" or "Microsoft Corp."--we wanted the CA to contact the real Microsoft or Mozilla Foundation to prevent use of certificates in combination with phishing attacks.

Third, putting aside the "physical address" objective and focusing instead on the risk mitigation strategy, I think the proposed language preserves the same "level of assurance" required for EV vetting.    Not only has the usefulness of phone number verification processes weakened since the section was first written, but the registration of other communication methods with government and QIISs has increased--it's a fair trade.   

Fourth, final cross-checking and due diligence under subsections 11.12(1) through (3) should not be overlooked.  Under (1) "The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group."  Under (2) " The CA MUST obtain and document further explanation or clarification ... to resolve those discrepancies or details that require further explanation." And under (3) " The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate."

Thanks,

Ben

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Kelvin Yiu
Sent: Wednesday, May 07, 2014 1:15 PM
To: Gervase Markham; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

Microsoft votes NO.

I share Gerv's concern. It is not clear to me how section 11.4.2 contributes to the verification of the applicant's physical existence and I am concerned that removing 11.4.2 may weaken section 11.4 overall. I also would like to see a tighter definition for the acceptable methods of communications, perhaps with a set of principles that can be used to justify why a particular method of communication is sufficiently reliable. 

Kelvin

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Friday, May 2, 2014 2:05 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

On 01/05/14 17:43, Ben Wilson wrote:
> Voting starts today.  (Unless otherwise told, I am counting the votes 
> received already from SECOM and Actalis.)

The question here is: what is the "Telephone Number for Applicant’s Place of Business" requirement actually there for? Is it to make sure that the CA can communicate with the applicant during the issuance process? Or is it part of the system making sure that the applicant is who they say they are, and can be traced as real?

Is the information obtained here part of the cert, or not?

The EV Guidelines say:

" To further verify the Applicant’s physical existence and business presence, as well as to assist in confirming other verification requirements, the CA MUST verify a main telephone number for one of the Applicant’s Places of Business."

I don't think an email address does anything to "further verify the Applicant’s physical existence and business presence".

However, I do see the issue that perhaps there are now businesses out there who do not have a standard fixed landline phone. I am open to finding a solution to this issue, but it seems to me that:

" a public telecommunication routing number (ITU- T E.164-compliant fixed, mobile, fax, or SMS), an email address, or a postal delivery address"

is too broad, and the new requirement does not serve the same purpose as the old, as it says it's solely for obtaining "a reliable way of communicating with the Applicant".

So Mozilla's current vote is NO.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140507/9c7f78d1/attachment-0001.p7s>

More information about the Public mailing list