[cabfpub] Ballot 122 - Verified Method of Communication
Moudrick M. Dadashov
md at ssc.lt
Fri May 9 21:35:49 UTC 2014
Thanks for fair answer, I respect your opinion but I can hardly can
accept it for someone leading a group. Sorry, nothing personal, really.
Thanks,
M.D.
On 5/10/2014 12:10 AM, Jeremy Rowley wrote:
> This ballot only. It's a polite request, not a rule or demand. I'm
> genuinely curious on how they see the Forum addressing countries that no
> longer support land lines.
>
> Jeremy
>
> -----Original Message-----
> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Friday, May 9, 2014 3:08 PM
> To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase
> Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> Is this interest applicable to this ballot only or as a rule?
>
> Thanks,
> M.D.
>
> On 5/9/2014 11:58 PM, Jeremy Rowley wrote:
>> And I agree with Rick's question. Since Mozilla and Microsoft voted
> against
>> the proposal. I'd be especially interested in hearing what they would
>> consider an acceptable alternative to a telephone number.
>>
>> Jeremy
>>
>> -----Original Message-----
>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>> Sent: Friday, May 9, 2014 2:54 PM
>> To: richard.smith at comodo.com; 'Jeremy Rowley'; 'Kelvin Yiu'; 'Gervase
>> Markham'; 'Ryan Sleevi'
>> Cc: public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> Excellent point, Rich.
>> I'd love if we required an alternative/suggestion with every NO. And
>> would be a rule.
>> Unfortunately for this specific ballot I didn't have a good answer,
>> hence why voted "abstain".
>>
>> I thought the proposal would have been much convincing if someone could
>> show us how it'd work for a REAL life case (see attached pic).
>>
>> Thanks,
>> M.D.
>>
>> On 5/9/2014 11:18 PM, Rich Smith wrote:
>>> OK, so we kicked this around in the EV WG for quite some time. We
>>> discussed, questioned, and came up with what we still think is a
>> reasonable
>>> update to the Guidelines to address a REAL issue. I hear a lot of NOs
> and
>> a
>>> lot of what ifs. Does anyone have what they think is a viable and
>>> reasonable alternative or an actual suggestion as to how we can modify to
>>> come up with a ballot that you would support?
>>> -Rich
>>>
>>>> -----Original Message-----
>>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>>> On Behalf Of Moudrick M. Dadashov
>>>> Sent: Friday, May 09, 2014 3:55 PM
>>>> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
>>>> Cc: public at cabforum.org
>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>
>>>> Hi Jeremy,
>>>>
>>>>
>>>> That was a test case for EV verification, Jeremy, what would prevent
>>>> issuing EV SSL to one these paper companies?
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
>>>>> If that's an acceptable result from your verification of physical
>>>>> existence,
>>>> you may have heard we are not issuing EV certs yet, nevertheless our
>>>> verification procedure always starts with the authentication of
>>>> applicant's representative (natural person).
>>>>> may you should consider re-evaluating your (and your auditor's)
>>>> Thanks for the lesson Jeremy, I'm glad you advised.
>>>>
>>>> In fact that was a test case, what would prevent you to issue an EV
>>>> cert for one of these businesses, keeping in mind the geographic
>>>> distance.
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>>> understanding of Section 11.4.1.
>>>>>
>>>>> Jeremy
>>>>>
>>>>> -----Original Message-----
>>>>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>>>>> Sent: Friday, May 9, 2014 12:00 PM
>>>>> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
>>>>> Cc: public at cabforum.org
>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>
>>>>> +1
>>>>>
>>>>> As an illustration attached please find legal/physical existence of
>>>>> 100s of companies.
>>>>>
>>>>> Thanks,
>>>>> M.D.
>>>>>
>>>>> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>>>>>> I don't think CAs are being asked to keep using landlines to verify
>>>>> physical existence. The question is what do you replace it with, if
>>>>> any for the physical existence test?
>>>>>> Kelvin
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>>>>>> Sent: Friday, May 9, 2014 9:54 AM
>>>>>> To: 'Gervase Markham'; 'Ryan Sleevi'
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>>
>>>>>> Every policy reaches a point where additional steps add complexity
>>>>>> without
>>>>> providing an equivalent increase in assurance. In my opinion,
>>>> relying
>>>>> on a telephone number for physical existence is that point. CAs
>>>>> already verify physical existence using an actual registered physical
>>>>> address of the applicant (PO boxes are prohibited). The verification
>>>>> process is quite rigorous. Further requiring a phone number only
>>>>> serves to lock businesses into an increasingly archaic business
>>>> structure and inhibit CA innovation.
>>>>> Ultimately, this all means that replacing the telephone with an
>>>>> additional certitude on physical existence is not really necessary.
>>>>>> The working group discussed removing this section completely as an
>>>>> unnecessary additional step. However, we ultimately still saw value
>>>>> in the check as a means for establishing a reliable method of
>>>>> communication with the subscriber. Unfortunately, unlike most of the
>>>>> EV Guidelines, the telephone requirement relies on a specific form of
>>>> technology, a land line.
>>>>>> If the physical existence verification is still a concern for
>>>>>> Mozilla, can
>>>>> you provide guidance on what you'd consider acceptable? We really
>>>>> need to get something in place to account for the move away from
>>>>> corporate telephone numbers.
>>>>>> Jeremy
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Gervase Markham [mailto:gerv at mozilla.org]
>>>>>> Sent: Friday, May 9, 2014 3:00 AM
>>>>>> To: Ryan Sleevi; jeremy rowley
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>>>>>
>>>>>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>>>>>> Considering that a significant part of the "extended" verification
>>>>>>> is asserting the physical existence of the subscriber, I have to
>>>>>>> respectfully disagree here.
>>>>>> I think this is the heart of the question of whether this change, in
>>>>> principle, is reasonable (that's as opposed to smaller discussions
>>>>> about appropriate comms methods).
>>>>>> In today's world, does the phone number check add significantly to
>>>>>> the
>>>>> certitude the CA has about the physical existence of the subscriber
>>>> at
>>>>> the address from the QIS? If not, then this ballot is OK. If it does,
>>>>> then how do we replace that additional certitude, for companies who
>>>>> don't have a landline? Are they inherently more fly-by-night, or do
>>>> we
>>>>> just need to find different ways of acquiring that certitude. If we
>>>>> need to find those ways, let's find them and implement them in the
>>>>> same move as relaxing this requirement.
>>>>>>> What are the assurances of extended verification for relying
>>>> parties
>>>>>>> under this justification? What does it matter that the CA has a
>>>>>>> reliable means to contact the Subscriber if the RP doesn't?
>>>>>> As someone else pointed out, this phone number is not put in the
>>>>>> cert, so
>>>>> the RP is no worse off. Phone numbers are also reasonably ephemeral
>>>>> today, even land lines. A registered physical place of business seems
>>>>> to me to be the correct way to "nail down" a particular company.
>>>>>> Gerv
>>>>>>
>>>>>> _______________________________________________
>>>>>> Public mailing list
>>>>>> Public at cabforum.org
>>>>>> https://cabforum.org/mailman/listinfo/public
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140510/cf53ad8d/attachment-0001.p7s>
More information about the Public
mailing list