[cabfpub] Ballot 122 - Verified Method of Communication

Rich Smith richard.smith at comodo.com
Fri May 9 20:18:34 UTC 2014


OK, so we kicked this around in the EV WG for quite some time.  We
discussed, questioned, and came up with what we still think is a reasonable
update to the Guidelines to address a REAL issue.  I hear a lot of NOs and a
lot of what ifs.  Does anyone have what they think is a viable and
reasonable alternative or an actual suggestion as to how we can modify to
come up with a ballot that you would support?
-Rich

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Moudrick M. Dadashov
> Sent: Friday, May 09, 2014 3:55 PM
> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
> 
> Hi Jeremy,
> 
> 
> That was a test case for EV verification, Jeremy, what would prevent
> issuing EV SSL to one these paper companies?
> 
> Thanks,
> M.D.
> 
> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
> > If that's an acceptable result from your verification of physical
> > existence,
> you may have heard we are not issuing EV certs yet, nevertheless our
> verification procedure always starts with the authentication of
> applicant's representative (natural person).
> > may you should consider re-evaluating your (and your auditor's)
> Thanks for the lesson Jeremy, I'm glad you advised.
> 
> In fact that was a test case, what would prevent you to issue an EV
> cert for one of these businesses, keeping in mind the geographic
> distance.
> 
> Thanks,
> M.D.
> 
> > understanding of Section 11.4.1.
> >
> > Jeremy
> >
> > -----Original Message-----
> > From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> > Sent: Friday, May 9, 2014 12:00 PM
> > To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
> > Cc: public at cabforum.org
> > Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
> >
> > +1
> >
> > As an illustration attached please find legal/physical existence of
> > 100s of companies.
> >
> > Thanks,
> > M.D.
> >
> > On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
> >> I don't think CAs are being asked to keep using landlines to verify
> > physical existence. The question is what do you replace it with, if
> > any for the physical existence test?
> >> Kelvin
> >>
> >> -----Original Message-----
> >> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
> >> Sent: Friday, May 9, 2014 9:54 AM
> >> To: 'Gervase Markham'; 'Ryan Sleevi'
> >> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
> >> Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication
> >>
> >> Every policy reaches a point where additional steps add complexity
> >> without
> > providing an equivalent increase in assurance.  In my opinion,
> relying
> > on a telephone number for physical existence is that point.  CAs
> > already verify physical existence using an actual registered physical
> > address of the applicant (PO boxes are prohibited).  The verification
> > process is quite rigorous. Further requiring a phone number only
> > serves to lock businesses into an increasingly archaic business
> structure and inhibit CA innovation.
> > Ultimately, this all means that replacing the telephone with  an
> > additional certitude on physical existence is not really necessary.
> >> The working group discussed removing this section completely as an
> > unnecessary additional step.  However, we ultimately still saw value
> > in the check as a means for establishing a reliable method of
> > communication with the subscriber.  Unfortunately, unlike most of the
> > EV Guidelines, the telephone requirement relies on a specific form of
> technology, a land line.
> >> If the physical existence verification is still a concern for
> >> Mozilla, can
> > you provide guidance on what you'd consider acceptable?  We really
> > need to get something in place to account for the move away from
> > corporate telephone numbers.
> >> Jeremy
> >>
> >> -----Original Message-----
> >> From: Gervase Markham [mailto:gerv at mozilla.org]
> >> Sent: Friday, May 9, 2014 3:00 AM
> >> To: Ryan Sleevi; jeremy rowley
> >> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
> >> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
> >>
> >> On 09/05/14 02:18, Ryan Sleevi wrote:
> >>> Considering that a significant part of the "extended" verification
> >>> is asserting the physical existence of the subscriber, I have to
> >>> respectfully disagree here.
> >> I think this is the heart of the question of whether this change, in
> > principle, is reasonable (that's as opposed to smaller discussions
> > about appropriate comms methods).
> >> In today's world, does the phone number check add significantly to
> >> the
> > certitude the CA has about the physical existence of the subscriber
> at
> > the address from the QIS? If not, then this ballot is OK. If it does,
> > then how do we replace that additional certitude, for companies who
> > don't have a landline? Are they inherently more fly-by-night, or do
> we
> > just need to find different ways of acquiring that certitude. If we
> > need to find those ways, let's find them and implement them in the
> > same move as relaxing this requirement.
> >>> What are the assurances of extended verification for relying
> parties
> >>> under this justification? What does it matter that the CA has a
> >>> reliable means to contact the Subscriber if the RP doesn't?
> >> As someone else pointed out, this phone number is not put in the
> >> cert, so
> > the RP is no worse off. Phone numbers are also reasonably ephemeral
> > today, even land lines. A registered physical place of business seems
> > to me to be the correct way to "nail down" a particular company.
> >> Gerv
> >>
> >> _______________________________________________
> >> Public mailing list
> >> Public at cabforum.org
> >> https://cabforum.org/mailman/listinfo/public
> >
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140509/f7f10326/attachment-0003.bin>


More information about the Public mailing list