[cabfpub] Ballot 122 - Verified Method of Communication

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri May 9 04:56:05 UTC 2014

I will just add to Jeremy's excellent summary with some historical perspective.

When the first draft of the EVGL (called "High Assurance" at that time) were considered in 2005, verifying the customer's phone number was basically a no-brainer afterthought.  Of course that's what we would all do -- simple, look in the phone book, why not.  Now, it's harder and harder, even for very real companies you know exist.  We are finding newer, mid-size companies that don't want to bother with a land line anymore (some are tech companies who think copper wire is too 19th century to bother).  Do we want to force them all to produce a lawyer/accountant letter attesting to which phone number you can use to reach them?  That's about the only alternative today under the current EVGL.

For EV, we must find the customer in a major data base (with physical address), in a government registry, and be able to communicate with them through a reliable means to confirm with the customer rep and generally (for EV) with the Contract Signer and often with someone in HR.   We must also record the name and address of their official Registered Agent in the government data base -- that's the person who receives official mail, legal summons, etc. on their behalf.

I prefer finding a phone number for a customer in a directory, but sadly it's going the way of 8 track tapes and dial phones, and doesn't really confirm physical location in any case.  I expect that in the next decade, there will be new, third party, reliable directories on how to reach companies -- maybe a government registry, maybe something else.  We will see what Norway does.  Each must be evaluated on its own, and maybe as Jeremy suggests the Forum in some way must approve each new method.  But I can tell you that land lines are going away for many real business customers, and we don't want to shut them out from EV certs.

Plus I can tell you that for a number of major tech companies, their land lines go to an automated switchboard where you can NEVER reach a real person (e.g,  a major server company in Silicon Valley you all know, which will go unnamed), only endless recorded loops and never any chance to reach a human operator, so land lines are maybe overrated.

I'm curious -- I'll bet many on this list have dropped their land lines, and just use mobile or VOIP (many of my friends have, and I may soon).  So does that put us in a new, questionable category?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, May 08, 2014 6:06 PM
To: 'Kelvin Yiu'; 'Gervase Markham'; ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

In an age when companies are spread globally and everyone works remote, multiple physical existence checks aren't  as important as ensuring the CA has a verified and reliable way to communicate with the subscriber about certificate requests. A single check for the address combined with reliable communication with the applicant provides a better level of assurance than requiring companies to stick with land lines.  I believe the proposed ballot will actually help increase security by permitting CAs to communicate using a Subscriber's preferred method of communication instead of trying to find authorization through a general phone number, hoping they are eventually reach the correct person.  

Because the Guidelines still require a CA to verify the contact info with a QIIS/QGIS (or attorney), what is the "predefined security bar" that CAs should meet?  In the working group (and during a couple of face-to-face conversations), we believed email, telephone, and postal address all met some minimum bar since they are all methods that subscribers use to routinely conduct business.  However, we didn't necessarily think that skype/VOIP, facebook, twitter, or other methods of communication were quite sufficient.  Since the browsers were the only ones to vote against the ballot, is there something specific you want included?


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Kelvin Yiu
Sent: Thursday, May 8, 2014 3:10 PM
To: Gervase Markham; ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

I don't disagree with the fact that using a landline telephone number to verify physical existence is increasingly irrelevant. However, I vaguely recall discussions in the early meetings (before we coined the term EV) where we wanted to have 2 data sources to verify physical existence and the landline phone company was considered a good secondary source. 

It is entirely possible that information from Q*ISs have gotten so good that we don't need a secondary verification and I just don't know it. I just haven't seen any discussion on whether we need to improve the physical existence test or whether a physical existence test is still relevant.

To be clear, I have no problems with using mobile phones, Skype/VoIP, email, or whatever the next new thing is to communicate with the applicant, as long as the contact info originate from a Q*IS and the method meets a predefined security bar. 


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Thursday, May 8, 2014 3:48 AM
To: ben at digicert.com; Kelvin Yiu; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

On 07/05/14 22:01, Ben Wilson wrote:
> I think that when we wrote 11.4.2 we all thought that it would serve 
> well as a "catch all" - doing triple duty for 1- physical address, 2- 
> business operational existence,  and 3 - "to confirm other 
> verification requirements," but I don't think that is still the case 
> for a growing minority of online businesses seeking SSL/TLS 
> certificates.

Having re-reviewed section 11, I think your case is pretty well made. I am no longer concerned that this will result in a weakening of the checks of an applicant's physical existence - which is the key check because it establishes jurisdiction and it is also the info placed in the cert itself.

The remaining issue for me is this (also raised by Kelvin): how do we decide what's a good Verified Method of Communication? Which, to me is basically the question of how secure from interception (as opposed to
eavesdropping) do we want a Verified Method of Communication to be?

It's fairly hard for a non-government to intercept and redirect a letter, or a call made from a landline phone to another one. Do we have the same level of confidence about mobile phones, email addresses etc.?
Perhaps we do. I might even have more confidence that, given a Skype nickname, a Skype call to that nickname would connect with its owner than I would have confidence that an email sent to an email address would connect with its owner.

We use unencrypted and unauthenticated email for Domain Validation. But is that something we want to rely on as our approved mechanism of communication for EV issuance?

I think this merits further discussion. I'm torn what to do now, as voting ends today. I think I'll stick with NO, but I would be very open to a resubmission of this ballot once we've discussed and addressed this question of what should and shouldn't qualify as a VMC.

Public mailing list
Public at cabforum.org

Public mailing list
Public at cabforum.org
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list