[cabfpub] Ballot 122 - Verified Method of Communication

Moudrick M. Dadashov md at ssc.lt
Fri May 9 21:05:05 UTC 2014


Just list your steps that would generate your final decision to issue 
(or not) the EV cert.

Thanks,
M.D.

On 5/9/2014 11:56 PM, Jeremy Rowley wrote:
> To turn your question on its head - how would a telephone number prevent the
> address from being verified?  The address verification is not linked to the
> telephone verification.
>
> Jeremy
>
> -----Original Message-----
> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Friday, May 9, 2014 2:54 PM
> To: richard.smith at comodo.com; 'Jeremy Rowley'; 'Kelvin Yiu'; 'Gervase
> Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> Excellent point, Rich.
> I'd love if we required an alternative/suggestion with every NO. And
> would be a rule.
> Unfortunately for this specific ballot I didn't have a good answer,
> hence why voted "abstain".
>
> I thought the proposal would have been much convincing if someone could
> show us how it'd work for a REAL life case (see attached pic).
>
> Thanks,
> M.D.
>
> On 5/9/2014 11:18 PM, Rich Smith wrote:
>> OK, so we kicked this around in the EV WG for quite some time.  We
>> discussed, questioned, and came up with what we still think is a
> reasonable
>> update to the Guidelines to address a REAL issue.  I hear a lot of NOs and
> a
>> lot of what ifs.  Does anyone have what they think is a viable and
>> reasonable alternative or an actual suggestion as to how we can modify to
>> come up with a ballot that you would support?
>> -Rich
>>
>>> -----Original Message-----
>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>> On Behalf Of Moudrick M. Dadashov
>>> Sent: Friday, May 09, 2014 3:55 PM
>>> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
>>> Cc: public at cabforum.org
>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>
>>> Hi Jeremy,
>>>
>>>
>>> That was a test case for EV verification, Jeremy, what would prevent
>>> issuing EV SSL to one these paper companies?
>>>
>>> Thanks,
>>> M.D.
>>>
>>> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
>>>> If that's an acceptable result from your verification of physical
>>>> existence,
>>> you may have heard we are not issuing EV certs yet, nevertheless our
>>> verification procedure always starts with the authentication of
>>> applicant's representative (natural person).
>>>> may you should consider re-evaluating your (and your auditor's)
>>> Thanks for the lesson Jeremy, I'm glad you advised.
>>>
>>> In fact that was a test case, what would prevent you to issue an EV
>>> cert for one of these businesses, keeping in mind the geographic
>>> distance.
>>>
>>> Thanks,
>>> M.D.
>>>
>>>> understanding of Section 11.4.1.
>>>>
>>>> Jeremy
>>>>
>>>> -----Original Message-----
>>>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>>>> Sent: Friday, May 9, 2014 12:00 PM
>>>> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
>>>> Cc: public at cabforum.org
>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>
>>>> +1
>>>>
>>>> As an illustration attached please find legal/physical existence of
>>>> 100s of companies.
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>>>>> I don't think CAs are being asked to keep using landlines to verify
>>>> physical existence. The question is what do you replace it with, if
>>>> any for the physical existence test?
>>>>> Kelvin
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>>>>> Sent: Friday, May 9, 2014 9:54 AM
>>>>> To: 'Gervase Markham'; 'Ryan Sleevi'
>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>
>>>>> Every policy reaches a point where additional steps add complexity
>>>>> without
>>>> providing an equivalent increase in assurance.  In my opinion,
>>> relying
>>>> on a telephone number for physical existence is that point.  CAs
>>>> already verify physical existence using an actual registered physical
>>>> address of the applicant (PO boxes are prohibited).  The verification
>>>> process is quite rigorous. Further requiring a phone number only
>>>> serves to lock businesses into an increasingly archaic business
>>> structure and inhibit CA innovation.
>>>> Ultimately, this all means that replacing the telephone with  an
>>>> additional certitude on physical existence is not really necessary.
>>>>> The working group discussed removing this section completely as an
>>>> unnecessary additional step.  However, we ultimately still saw value
>>>> in the check as a means for establishing a reliable method of
>>>> communication with the subscriber.  Unfortunately, unlike most of the
>>>> EV Guidelines, the telephone requirement relies on a specific form of
>>> technology, a land line.
>>>>> If the physical existence verification is still a concern for
>>>>> Mozilla, can
>>>> you provide guidance on what you'd consider acceptable?  We really
>>>> need to get something in place to account for the move away from
>>>> corporate telephone numbers.
>>>>> Jeremy
>>>>>
>>>>> -----Original Message-----
>>>>> From: Gervase Markham [mailto:gerv at mozilla.org]
>>>>> Sent: Friday, May 9, 2014 3:00 AM
>>>>> To: Ryan Sleevi; jeremy rowley
>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>
>>>>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>>>>> Considering that a significant part of the "extended" verification
>>>>>> is asserting the physical existence of the subscriber, I have to
>>>>>> respectfully disagree here.
>>>>> I think this is the heart of the question of whether this change, in
>>>> principle, is reasonable (that's as opposed to smaller discussions
>>>> about appropriate comms methods).
>>>>> In today's world, does the phone number check add significantly to
>>>>> the
>>>> certitude the CA has about the physical existence of the subscriber
>>> at
>>>> the address from the QIS? If not, then this ballot is OK. If it does,
>>>> then how do we replace that additional certitude, for companies who
>>>> don't have a landline? Are they inherently more fly-by-night, or do
>>> we
>>>> just need to find different ways of acquiring that certitude. If we
>>>> need to find those ways, let's find them and implement them in the
>>>> same move as relaxing this requirement.
>>>>>> What are the assurances of extended verification for relying
>>> parties
>>>>>> under this justification? What does it matter that the CA has a
>>>>>> reliable means to contact the Subscriber if the RP doesn't?
>>>>> As someone else pointed out, this phone number is not put in the
>>>>> cert, so
>>>> the RP is no worse off. Phone numbers are also reasonably ephemeral
>>>> today, even land lines. A registered physical place of business seems
>>>> to me to be the correct way to "nail down" a particular company.
>>>>> Gerv
>>>>>
>>>>> _______________________________________________
>>>>> Public mailing list
>>>>> Public at cabforum.org
>>>>> https://cabforum.org/mailman/listinfo/public
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140510/4c295d3c/attachment-0001.p7s>


More information about the Public mailing list