[cabfpub] Ballot 122 - Verified Method of Communication

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 9 21:30:25 UTC 2014


Their real address where they do business? Then I'd follow the EV
Guidelines:
1) Verify legal existence under 11.2
2) Verify assumed name under 11.3
3) Verify physical existence under 11.4
4) Verify operational existence under 11.5
5) Verify domain name under 11.6
6) Verify the signer and approver under 11.7
7) Verify the request and agreement under 11.8
8) Verify approval under 11.9
9) Perform the high risk checks under 11.11
10) Have a final cross-correlation under 11.12

The entire process would lead me to my final decision.

Jeremy

-----Original Message-----
From: Moudrick M. Dadashov [mailto:md at ssc.lt] 
Sent: Friday, May 9, 2014 3:24 PM
To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase
Markham'; 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

ok. Let's be more specific. I'm asking what EVG steps would lead you to 
your final decision (whatever it be). It has nothing to do with DigiCert..

Imagine you have an e-mail application requesting EV cert for ABC Inc 
whose REAL legal address is the one on the picture.

Thanks,
M.D.

On 5/10/2014 12:12 AM, Jeremy Rowley wrote:
> Basing validation on a picture is difficult/impossible.  For all I know,
> that is a legitimate soap company in Belgium with operational phone, text,
> and address. However, I'm pretty sure 100 different EV certs for different
> companies (as stated in your original email) with this same address would
> create a red flag in our system.
>
> Considering this discussion is solely on whether telephone actually helps
> establish physical existence, DigiCert's specific steps in fulfilling the
> requirements seem out-of-scope (and proprietary).  Since you implied
> telephone as necessary to show that the location doesn't contain a
> legitimate company, I'd like you to share the logic on that.
>
> Jeremy
>
> -----Original Message-----
> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Friday, May 9, 2014 3:05 PM
> To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase
> Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> Just list your steps that would generate your final decision to issue
> (or not) the EV cert.
>
> Thanks,
> M.D.
>
> On 5/9/2014 11:56 PM, Jeremy Rowley wrote:
>> To turn your question on its head - how would a telephone number prevent
> the
>> address from being verified?  The address verification is not linked to
> the
>> telephone verification.
>>
>> Jeremy
>>
>> -----Original Message-----
>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>> Sent: Friday, May 9, 2014 2:54 PM
>> To: richard.smith at comodo.com; 'Jeremy Rowley'; 'Kelvin Yiu'; 'Gervase
>> Markham'; 'Ryan Sleevi'
>> Cc: public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> Excellent point, Rich.
>> I'd love if we required an alternative/suggestion with every NO. And
>> would be a rule.
>> Unfortunately for this specific ballot I didn't have a good answer,
>> hence why voted "abstain".
>>
>> I thought the proposal would have been much convincing if someone could
>> show us how it'd work for a REAL life case (see attached pic).
>>
>> Thanks,
>> M.D.
>>
>> On 5/9/2014 11:18 PM, Rich Smith wrote:
>>> OK, so we kicked this around in the EV WG for quite some time.  We
>>> discussed, questioned, and came up with what we still think is a
>> reasonable
>>> update to the Guidelines to address a REAL issue.  I hear a lot of NOs
> and
>> a
>>> lot of what ifs.  Does anyone have what they think is a viable and
>>> reasonable alternative or an actual suggestion as to how we can modify
to
>>> come up with a ballot that you would support?
>>> -Rich
>>>
>>>> -----Original Message-----
>>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>>> On Behalf Of Moudrick M. Dadashov
>>>> Sent: Friday, May 09, 2014 3:55 PM
>>>> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
>>>> Cc: public at cabforum.org
>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>
>>>> Hi Jeremy,
>>>>
>>>>
>>>> That was a test case for EV verification, Jeremy, what would prevent
>>>> issuing EV SSL to one these paper companies?
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
>>>>> If that's an acceptable result from your verification of physical
>>>>> existence,
>>>> you may have heard we are not issuing EV certs yet, nevertheless our
>>>> verification procedure always starts with the authentication of
>>>> applicant's representative (natural person).
>>>>> may you should consider re-evaluating your (and your auditor's)
>>>> Thanks for the lesson Jeremy, I'm glad you advised.
>>>>
>>>> In fact that was a test case, what would prevent you to issue an EV
>>>> cert for one of these businesses, keeping in mind the geographic
>>>> distance.
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>>> understanding of Section 11.4.1.
>>>>>
>>>>> Jeremy
>>>>>
>>>>> -----Original Message-----
>>>>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>>>>> Sent: Friday, May 9, 2014 12:00 PM
>>>>> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
>>>>> Cc: public at cabforum.org
>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>
>>>>> +1
>>>>>
>>>>> As an illustration attached please find legal/physical existence of
>>>>> 100s of companies.
>>>>>
>>>>> Thanks,
>>>>> M.D.
>>>>>
>>>>> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>>>>>> I don't think CAs are being asked to keep using landlines to verify
>>>>> physical existence. The question is what do you replace it with, if
>>>>> any for the physical existence test?
>>>>>> Kelvin
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>>>>>> Sent: Friday, May 9, 2014 9:54 AM
>>>>>> To: 'Gervase Markham'; 'Ryan Sleevi'
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>>
>>>>>> Every policy reaches a point where additional steps add complexity
>>>>>> without
>>>>> providing an equivalent increase in assurance.  In my opinion,
>>>> relying
>>>>> on a telephone number for physical existence is that point.  CAs
>>>>> already verify physical existence using an actual registered physical
>>>>> address of the applicant (PO boxes are prohibited).  The verification
>>>>> process is quite rigorous. Further requiring a phone number only
>>>>> serves to lock businesses into an increasingly archaic business
>>>> structure and inhibit CA innovation.
>>>>> Ultimately, this all means that replacing the telephone with  an
>>>>> additional certitude on physical existence is not really necessary.
>>>>>> The working group discussed removing this section completely as an
>>>>> unnecessary additional step.  However, we ultimately still saw value
>>>>> in the check as a means for establishing a reliable method of
>>>>> communication with the subscriber.  Unfortunately, unlike most of the
>>>>> EV Guidelines, the telephone requirement relies on a specific form of
>>>> technology, a land line.
>>>>>> If the physical existence verification is still a concern for
>>>>>> Mozilla, can
>>>>> you provide guidance on what you'd consider acceptable?  We really
>>>>> need to get something in place to account for the move away from
>>>>> corporate telephone numbers.
>>>>>> Jeremy
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Gervase Markham [mailto:gerv at mozilla.org]
>>>>>> Sent: Friday, May 9, 2014 3:00 AM
>>>>>> To: Ryan Sleevi; jeremy rowley
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>>
>>>>>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>>>>>> Considering that a significant part of the "extended" verification
>>>>>>> is asserting the physical existence of the subscriber, I have to
>>>>>>> respectfully disagree here.
>>>>>> I think this is the heart of the question of whether this change, in
>>>>> principle, is reasonable (that's as opposed to smaller discussions
>>>>> about appropriate comms methods).
>>>>>> In today's world, does the phone number check add significantly to
>>>>>> the
>>>>> certitude the CA has about the physical existence of the subscriber
>>>> at
>>>>> the address from the QIS? If not, then this ballot is OK. If it does,
>>>>> then how do we replace that additional certitude, for companies who
>>>>> don't have a landline? Are they inherently more fly-by-night, or do
>>>> we
>>>>> just need to find different ways of acquiring that certitude. If we
>>>>> need to find those ways, let's find them and implement them in the
>>>>> same move as relaxing this requirement.
>>>>>>> What are the assurances of extended verification for relying
>>>> parties
>>>>>>> under this justification? What does it matter that the CA has a
>>>>>>> reliable means to contact the Subscriber if the RP doesn't?
>>>>>> As someone else pointed out, this phone number is not put in the
>>>>>> cert, so
>>>>> the RP is no worse off. Phone numbers are also reasonably ephemeral
>>>>> today, even land lines. A registered physical place of business seems
>>>>> to me to be the correct way to "nail down" a particular company.
>>>>>> Gerv
>>>>>>
>>>>>> _______________________________________________
>>>>>> Public mailing list
>>>>>> Public at cabforum.org
>>>>>> https://cabforum.org/mailman/listinfo/public
>>
>
>






More information about the Public mailing list