[cabfpub] Ballot 122 - Verified Method of Communication

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 9 01:05:34 UTC 2014 

In an age when companies are spread globally and everyone works remote,
multiple physical existence checks aren't  as important as ensuring the CA
has a verified and reliable way to communicate with the subscriber about
certificate requests. A single check for the address combined with reliable
communication with the applicant provides a better level of assurance than
requiring companies to stick with land lines.  I believe the proposed ballot
will actually help increase security by permitting CAs to communicate using
a Subscriber's preferred method of communication instead of trying to find
authorization through a general phone number, hoping they are eventually
reach the correct person.  

Because the Guidelines still require a CA to verify the contact info with a
QIIS/QGIS (or attorney), what is the "predefined security bar" that CAs
should meet?  In the working group (and during a couple of face-to-face
conversations), we believed email, telephone, and postal address all met
some minimum bar since they are all methods that subscribers use to
routinely conduct business.  However, we didn't necessarily think that
skype/VOIP, facebook, twitter, or other methods of communication were quite
sufficient.  Since the browsers were the only ones to vote against the
ballot, is there something specific you want included?

Jeremy  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Kelvin Yiu
Sent: Thursday, May 8, 2014 3:10 PM
To: Gervase Markham; ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

I don't disagree with the fact that using a landline telephone number to
verify physical existence is increasingly irrelevant. However, I vaguely
recall discussions in the early meetings (before we coined the term EV)
where we wanted to have 2 data sources to verify physical existence and the
landline phone company was considered a good secondary source. 

It is entirely possible that information from Q*ISs have gotten so good that
we don't need a secondary verification and I just don't know it. I just
haven't seen any discussion on whether we need to improve the physical
existence test or whether a physical existence test is still relevant.

To be clear, I have no problems with using mobile phones, Skype/VoIP, email,
or whatever the next new thing is to communicate with the applicant, as long
as the contact info originate from a Q*IS and the method meets a predefined
security bar. 

Kelvin

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Thursday, May 8, 2014 3:48 AM
To: ben at digicert.com; Kelvin Yiu; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

On 07/05/14 22:01, Ben Wilson wrote:
> I think that when we wrote 11.4.2 we all thought that it would serve 
> well as a "catch all" - doing triple duty for 1- physical address, 2- 
> business operational existence,  and 3 - "to confirm other 
> verification requirements," but I don't think that is still the case 
> for a growing minority of online businesses seeking SSL/TLS 
> certificates.

Having re-reviewed section 11, I think your case is pretty well made. I am
no longer concerned that this will result in a weakening of the checks of an
applicant's physical existence - which is the key check because it
establishes jurisdiction and it is also the info placed in the cert itself.

The remaining issue for me is this (also raised by Kelvin): how do we decide
what's a good Verified Method of Communication? Which, to me is basically
the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?

It's fairly hard for a non-government to intercept and redirect a letter, or
a call made from a landline phone to another one. Do we have the same level
of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype
nickname, a Skype call to that nickname would connect with its owner than I
would have confidence that an email sent to an email address would connect
with its owner.

We use unencrypted and unauthenticated email for Domain Validation. But is
that something we want to rely on as our approved mechanism of communication
for EV issuance?

I think this merits further discussion. I'm torn what to do now, as voting
ends today. I think I'll stick with NO, but I would be very open to a
resubmission of this ballot once we've discussed and addressed this question
of what should and shouldn't qualify as a VMC.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list