[cabfpub] Ballot 122 - Verified Method of Communication
Jeremy Rowley
jeremy.rowley at digicert.com
Fri May 9 21:46:38 UTC 2014
Nothing personal taken. I'm interested in seeing the CAB Forum do something
to address the situation so insight from anyone with ideas or concerns is
greatly appreciated.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Moudrick M. Dadashov
Sent: Friday, May 9, 2014 3:36 PM
To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase
Markham'; 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
Thanks for fair answer, I respect your opinion but I can hardly can accept
it for someone leading a group. Sorry, nothing personal, really.
Thanks,
M.D.
On 5/10/2014 12:10 AM, Jeremy Rowley wrote:
> This ballot only. It's a polite request, not a rule or demand. I'm
> genuinely curious on how they see the Forum addressing countries that
> no longer support land lines.
>
> Jeremy
>
> -----Original Message-----
> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Friday, May 9, 2014 3:08 PM
> To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase
> Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> Is this interest applicable to this ballot only or as a rule?
>
> Thanks,
> M.D.
>
> On 5/9/2014 11:58 PM, Jeremy Rowley wrote:
>> And I agree with Rick's question. Since Mozilla and Microsoft voted
> against
>> the proposal. I'd be especially interested in hearing what they would
>> consider an acceptable alternative to a telephone number.
>>
>> Jeremy
>>
>> -----Original Message-----
>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>> Sent: Friday, May 9, 2014 2:54 PM
>> To: richard.smith at comodo.com; 'Jeremy Rowley'; 'Kelvin Yiu'; 'Gervase
>> Markham'; 'Ryan Sleevi'
>> Cc: public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> Excellent point, Rich.
>> I'd love if we required an alternative/suggestion with every NO. And
>> would be a rule.
>> Unfortunately for this specific ballot I didn't have a good answer,
>> hence why voted "abstain".
>>
>> I thought the proposal would have been much convincing if someone
>> could show us how it'd work for a REAL life case (see attached pic).
>>
>> Thanks,
>> M.D.
>>
>> On 5/9/2014 11:18 PM, Rich Smith wrote:
>>> OK, so we kicked this around in the EV WG for quite some time. We
>>> discussed, questioned, and came up with what we still think is a
>> reasonable
>>> update to the Guidelines to address a REAL issue. I hear a lot of
>>> NOs
> and
>> a
>>> lot of what ifs. Does anyone have what they think is a viable and
>>> reasonable alternative or an actual suggestion as to how we can
>>> modify to come up with a ballot that you would support?
>>> -Rich
>>>
>>>> -----Original Message-----
>>>> From: public-bounces at cabforum.org
>>>> [mailto:public-bounces at cabforum.org]
>>>> On Behalf Of Moudrick M. Dadashov
>>>> Sent: Friday, May 09, 2014 3:55 PM
>>>> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
>>>> Cc: public at cabforum.org
>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of
>>>> Communication
>>>>
>>>> Hi Jeremy,
>>>>
>>>>
>>>> That was a test case for EV verification, Jeremy, what would
>>>> prevent issuing EV SSL to one these paper companies?
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
>>>>> If that's an acceptable result from your verification of physical
>>>>> existence,
>>>> you may have heard we are not issuing EV certs yet, nevertheless
>>>> our verification procedure always starts with the authentication of
>>>> applicant's representative (natural person).
>>>>> may you should consider re-evaluating your (and your auditor's)
>>>> Thanks for the lesson Jeremy, I'm glad you advised.
>>>>
>>>> In fact that was a test case, what would prevent you to issue an EV
>>>> cert for one of these businesses, keeping in mind the geographic
>>>> distance.
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>>> understanding of Section 11.4.1.
>>>>>
>>>>> Jeremy
>>>>>
>>>>> -----Original Message-----
>>>>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>>>>> Sent: Friday, May 9, 2014 12:00 PM
>>>>> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
>>>>> Cc: public at cabforum.org
>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of
>>>>> Communication
>>>>>
>>>>> +1
>>>>>
>>>>> As an illustration attached please find legal/physical existence
>>>>> of 100s of companies.
>>>>>
>>>>> Thanks,
>>>>> M.D.
>>>>>
>>>>> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>>>>>> I don't think CAs are being asked to keep using landlines to
>>>>>> verify
>>>>> physical existence. The question is what do you replace it with,
>>>>> if any for the physical existence test?
>>>>>> Kelvin
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>>>>>> Sent: Friday, May 9, 2014 9:54 AM
>>>>>> To: 'Gervase Markham'; 'Ryan Sleevi'
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of
>>>>>> Communication
>>>>>>
>>>>>> Every policy reaches a point where additional steps add
>>>>>> complexity without
>>>>> providing an equivalent increase in assurance. In my opinion,
>>>> relying
>>>>> on a telephone number for physical existence is that point. CAs
>>>>> already verify physical existence using an actual registered
>>>>> physical address of the applicant (PO boxes are prohibited). The
>>>>> verification process is quite rigorous. Further requiring a phone
>>>>> number only serves to lock businesses into an increasingly archaic
>>>>> business
>>>> structure and inhibit CA innovation.
>>>>> Ultimately, this all means that replacing the telephone with an
>>>>> additional certitude on physical existence is not really necessary.
>>>>>> The working group discussed removing this section completely as
>>>>>> an
>>>>> unnecessary additional step. However, we ultimately still saw
>>>>> value in the check as a means for establishing a reliable method
>>>>> of communication with the subscriber. Unfortunately, unlike most
>>>>> of the EV Guidelines, the telephone requirement relies on a
>>>>> specific form of
>>>> technology, a land line.
>>>>>> If the physical existence verification is still a concern for
>>>>>> Mozilla, can
>>>>> you provide guidance on what you'd consider acceptable? We really
>>>>> need to get something in place to account for the move away from
>>>>> corporate telephone numbers.
>>>>>> Jeremy
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Gervase Markham [mailto:gerv at mozilla.org]
>>>>>> Sent: Friday, May 9, 2014 3:00 AM
>>>>>> To: Ryan Sleevi; jeremy rowley
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of
>>>>>> Communication
>>>>>>
>>>>>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>>>>>> Considering that a significant part of the "extended"
>>>>>>> verification is asserting the physical existence of the
>>>>>>> subscriber, I have to respectfully disagree here.
>>>>>> I think this is the heart of the question of whether this change,
>>>>>> in
>>>>> principle, is reasonable (that's as opposed to smaller discussions
>>>>> about appropriate comms methods).
>>>>>> In today's world, does the phone number check add significantly
>>>>>> to the
>>>>> certitude the CA has about the physical existence of the
>>>>> subscriber
>>>> at
>>>>> the address from the QIS? If not, then this ballot is OK. If it
>>>>> does, then how do we replace that additional certitude, for
>>>>> companies who don't have a landline? Are they inherently more
>>>>> fly-by-night, or do
>>>> we
>>>>> just need to find different ways of acquiring that certitude. If
>>>>> we need to find those ways, let's find them and implement them in
>>>>> the same move as relaxing this requirement.
>>>>>>> What are the assurances of extended verification for relying
>>>> parties
>>>>>>> under this justification? What does it matter that the CA has a
>>>>>>> reliable means to contact the Subscriber if the RP doesn't?
>>>>>> As someone else pointed out, this phone number is not put in the
>>>>>> cert, so
>>>>> the RP is no worse off. Phone numbers are also reasonably
>>>>> ephemeral today, even land lines. A registered physical place of
>>>>> business seems to me to be the correct way to "nail down" a particular
company.
>>>>>> Gerv
>>>>>>
>>>>>> _______________________________________________
>>>>>> Public mailing list
>>>>>> Public at cabforum.org
>>>>>> https://cabforum.org/mailman/listinfo/public
>>
>
>
More information about the Public
mailing list