[cabfpub] Ballot 122 - Verified Method of Communication

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 9 17:29:00 UTC 2014


Right - and I think you replace it with the proposed "verified method of
communication".  You already have physical address to account for physical
existence.  With a method of communication, you know (1) where they are
physically located and (2) how to talk to them.  IMO, this is adequate for
physical existence considering you also know  who they are, where they are
operating, the fact they are operating, the certificate requester's
authorization to obtain a certificate, etc.

Jeremy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Kelvin Yiu
Sent: Friday, May 9, 2014 11:13 AM
To: Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

I don't think CAs are being asked to keep using landlines to verify physical
existence. The question is what do you replace it with, if any for the
physical existence test?

Kelvin

-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, May 9, 2014 9:54 AM
To: 'Gervase Markham'; 'Ryan Sleevi'
Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication

Every policy reaches a point where additional steps add complexity without
providing an equivalent increase in assurance.  In my opinion, relying on a
telephone number for physical existence is that point.  CAs already verify
physical existence using an actual registered physical address of the
applicant (PO boxes are prohibited).  The verification process is quite
rigorous. Further requiring a phone number only serves to lock businesses
into an increasingly archaic business structure and inhibit CA innovation.
Ultimately, this all means that replacing the telephone with  an additional
certitude on physical existence is not really necessary.  

The working group discussed removing this section completely as an
unnecessary additional step.  However, we ultimately still saw value in the
check as a means for establishing a reliable method of communication with
the subscriber.  Unfortunately, unlike most of the EV Guidelines, the
telephone requirement relies on a specific form of technology, a land line.


If the physical existence verification is still a concern for Mozilla, can
you provide guidance on what you'd consider acceptable?  We really need to
get something in place to account for the move away from corporate telephone
numbers.

Jeremy

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Friday, May 9, 2014 3:00 AM
To: Ryan Sleevi; jeremy rowley
Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

On 09/05/14 02:18, Ryan Sleevi wrote:
> Considering that a significant part of the "extended" verification is 
> asserting the physical existence of the subscriber, I have to 
> respectfully disagree here.

I think this is the heart of the question of whether this change, in
principle, is reasonable (that's as opposed to smaller discussions about
appropriate comms methods).

In today's world, does the phone number check add significantly to the
certitude the CA has about the physical existence of the subscriber at the
address from the QIS? If not, then this ballot is OK. If it does, then how
do we replace that additional certitude, for companies who don't have a
landline? Are they inherently more fly-by-night, or do we just need to find
different ways of acquiring that certitude. If we need to find those ways,
let's find them and implement them in the same move as relaxing this
requirement.

> What are the assurances of extended verification for relying parties 
> under this justification? What does it matter that the CA has a 
> reliable means to contact the Subscriber if the RP doesn't?

As someone else pointed out, this phone number is not put in the cert, so
the RP is no worse off. Phone numbers are also reasonably ephemeral today,
even land lines. A registered physical place of business seems to me to be
the correct way to "nail down" a particular company.

Gerv

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list