[cabfpub] Ballot 122 - Verified Method of Communication

Moudrick M. Dadashov md at ssc.lt
Fri May 9 19:55:12 UTC 2014


Hi Jeremy,


That was a test case for EV verification, Jeremy, what would prevent 
issuing EV SSL to one these paper companies?

Thanks,
M.D.

On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
> If that's an acceptable result from your verification of physical existence,
you may have heard we are not issuing EV certs yet, nevertheless our 
verification procedure always starts with the authentication of 
applicant's representative (natural person).
> may you should consider re-evaluating your (and your auditor's)
Thanks for the lesson Jeremy, I'm glad you advised.

In fact that was a test case, what would prevent you to issue an EV cert 
for one of these businesses, keeping in mind the geographic distance.

Thanks,
M.D.

> understanding of Section 11.4.1.
>
> Jeremy
>
> -----Original Message-----
> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Friday, May 9, 2014 12:00 PM
> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> +1
>
> As an illustration attached please find legal/physical existence of 100s
> of companies.
>
> Thanks,
> M.D.
>
> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>> I don't think CAs are being asked to keep using landlines to verify
> physical existence. The question is what do you replace it with, if any for
> the physical existence test?
>> Kelvin
>>
>> -----Original Message-----
>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>> Sent: Friday, May 9, 2014 9:54 AM
>> To: 'Gervase Markham'; 'Ryan Sleevi'
>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> Every policy reaches a point where additional steps add complexity without
> providing an equivalent increase in assurance.  In my opinion, relying on a
> telephone number for physical existence is that point.  CAs already verify
> physical existence using an actual registered physical address of the
> applicant (PO boxes are prohibited).  The verification process is quite
> rigorous. Further requiring a phone number only serves to lock businesses
> into an increasingly archaic business structure and inhibit CA innovation.
> Ultimately, this all means that replacing the telephone with  an additional
> certitude on physical existence is not really necessary.
>> The working group discussed removing this section completely as an
> unnecessary additional step.  However, we ultimately still saw value in the
> check as a means for establishing a reliable method of communication with
> the subscriber.  Unfortunately, unlike most of the EV Guidelines, the
> telephone requirement relies on a specific form of technology, a land line.
>> If the physical existence verification is still a concern for Mozilla, can
> you provide guidance on what you'd consider acceptable?  We really need to
> get something in place to account for the move away from corporate telephone
> numbers.
>> Jeremy
>>
>> -----Original Message-----
>> From: Gervase Markham [mailto:gerv at mozilla.org]
>> Sent: Friday, May 9, 2014 3:00 AM
>> To: Ryan Sleevi; jeremy rowley
>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>> Considering that a significant part of the "extended" verification is
>>> asserting the physical existence of the subscriber, I have to
>>> respectfully disagree here.
>> I think this is the heart of the question of whether this change, in
> principle, is reasonable (that's as opposed to smaller discussions about
> appropriate comms methods).
>> In today's world, does the phone number check add significantly to the
> certitude the CA has about the physical existence of the subscriber at the
> address from the QIS? If not, then this ballot is OK. If it does, then how
> do we replace that additional certitude, for companies who don't have a
> landline? Are they inherently more fly-by-night, or do we just need to find
> different ways of acquiring that certitude. If we need to find those ways,
> let's find them and implement them in the same move as relaxing this
> requirement.
>>> What are the assurances of extended verification for relying parties
>>> under this justification? What does it matter that the CA has a
>>> reliable means to contact the Subscriber if the RP doesn't?
>> As someone else pointed out, this phone number is not put in the cert, so
> the RP is no worse off. Phone numbers are also reasonably ephemeral today,
> even land lines. A registered physical place of business seems to me to be
> the correct way to "nail down" a particular company.
>> Gerv
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140509/ad449369/attachment-0001.p7s>


More information about the Public mailing list