[cabfpub] Ballot 122 - Verified Method of Communication

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 9 02:01:54 UTC 2014

Also, I’d like to point out that the BRs and EV guidelines have the same number of sections on physical existence so I’d hardly call that the “significant part of the extended verification”.


Considering we have an actual case where a country is getting rid of land lines (Norway), shouldn’t we provide an alternate and reliable path to verification?  




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, May 8, 2014 7:28 PM
To: 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication


> In an age when companies are spread globally and everyone works remote,
> multiple physical existence checks aren't  as important as ensuring the CA
> has a verified and reliable way to communicate with the subscriber about
> certificate requests. 

Considering that a significant part of the "extended" verification is asserting the physical existence of the subscriber, I have to respectfully disagree here.

[JR] Considering CAs still have to verify physical address, authorization, the HR department, and operational existence, does the land line really help you know anything additional?  I’m not sure what it adds over the other parts we already confirm. 

> A single check for the address combined with reliable
> communication with the applicant provides a better level of assurance than
> requiring companies to stick with land lines.  I believe the proposed ballot
> will actually help increase security by permitting CAs to communicate using
> a Subscriber's preferred method of communication instead of trying to find
> authorization through a general phone number, hoping they are eventually
> reach the correct person.

What are the assurances of extended verification for relying parties under this justification? What does it matter that the CA has a reliable means to contact the Subscriber if the RP doesn't?

[JR] What assurances do they have with a verified phone number? The CA’s verification still doesn’t help the RP contact the subscriber. The assurances are that someone who actually knows what they are talking about authorized the certificate (in the certificate approver section), not that a receptionist answered a phone. 

> Because the Guidelines still require a CA to verify the contact info with a
> QIIS/QGIS (or attorney), what is the "predefined security bar" that CAs
> should meet?  In the working group (and during a couple of face-to-face
> conversations), we believed email, telephone, and postal address all met
> some minimum bar since they are all methods that subscribers use to
> routinely conduct business.  However, we didn't necessarily think that
> skype/VOIP, facebook, twitter, or other methods of communication were quite
> sufficient.  Since the browsers were the only ones to vote against the
> ballot, is there something specific you want included?
> Jeremy
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Kelvin Yiu
> Sent: Thursday, May 8, 2014 3:10 PM
> To: Gervase Markham; ben at digicert.com; public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
> I don't disagree with the fact that using a landline telephone number to
> verify physical existence is increasingly irrelevant. However, I vaguely
> recall discussions in the early meetings (before we coined the term EV)
> where we wanted to have 2 data sources to verify physical existence and the
> landline phone company was considered a good secondary source.
> It is entirely possible that information from Q*ISs have gotten so good that
> we don't need a secondary verification and I just don't know it. I just
> haven't seen any discussion on whether we need to improve the physical
> existence test or whether a physical existence test is still relevant.
> To be clear, I have no problems with using mobile phones, Skype/VoIP, email,
> or whatever the next new thing is to communicate with the applicant, as long
> as the contact info originate from a Q*IS and the method meets a predefined
> security bar.
> Kelvin
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Thursday, May 8, 2014 3:48 AM
> To: ben at digicert.com; Kelvin Yiu; public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
> On 07/05/14 22:01, Ben Wilson wrote:
> > I think that when we wrote 11.4.2 we all thought that it would serve
> > well as a "catch all" - doing triple duty for 1- physical address, 2-
> > business operational existence,  and 3 - "to confirm other
> > verification requirements," but I don't think that is still the case
> > for a growing minority of online businesses seeking SSL/TLS
> > certificates.
> Having re-reviewed section 11, I think your case is pretty well made. I am
> no longer concerned that this will result in a weakening of the checks of an
> applicant's physical existence - which is the key check because it
> establishes jurisdiction and it is also the info placed in the cert itself.
> The remaining issue for me is this (also raised by Kelvin): how do we decide
> what's a good Verified Method of Communication? Which, to me is basically
> the question of how secure from interception (as opposed to
> eavesdropping) do we want a Verified Method of Communication to be?
> It's fairly hard for a non-government to intercept and redirect a letter, or
> a call made from a landline phone to another one. Do we have the same level
> of confidence about mobile phones, email addresses etc.?
> Perhaps we do. I might even have more confidence that, given a Skype
> nickname, a Skype call to that nickname would connect with its owner than I
> would have confidence that an email sent to an email address would connect
> with its owner.
> We use unencrypted and unauthenticated email for Domain Validation. But is
> that something we want to rely on as our approved mechanism of communication
> for EV issuance?
> I think this merits further discussion. I'm torn what to do now, as voting
> ends today. I think I'll stick with NO, but I would be very open to a
> resubmission of this ballot once we've discussed and addressed this question
> of what should and shouldn't qualify as a VMC.
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140508/75084774/attachment-0003.html>

More information about the Public mailing list