[cabfpub] Ballot 122 - Verified Method of Communication

Kelvin Yiu kelviny at exchange.microsoft.com
Fri May 9 23:35:38 UTC 2014 

I have a couple of ideas:

1. Verification from 2 independent Q*IS?
2. The address must not be a residential address?

Kelvin

-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Friday, May 9, 2014 2:47 PM
To: 'Moudrick M. Dadashov'; richard.smith at comodo.com; Kelvin Yiu; 'Gervase Markham'; 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: RE: [cabfpub] Ballot 122 - Verified Method of Communication

Nothing personal taken.  I'm interested in seeing the CAB Forum do something to address the situation so insight from anyone with ideas or concerns is greatly appreciated.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov
Sent: Friday, May 9, 2014 3:36 PM
To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication

Thanks for fair answer, I respect your opinion but I can hardly can accept it for someone leading a group. Sorry, nothing personal, really.

Thanks,
M.D.

On 5/10/2014 12:10 AM, Jeremy Rowley wrote:
> This ballot only.  It's a polite request, not a rule or demand.  I'm 
> genuinely curious on how they see the Forum addressing countries that 
> no longer support land lines.
>
> Jeremy
>
> -----Original Message-----
> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Friday, May 9, 2014 3:08 PM
> To: Jeremy Rowley; richard.smith at comodo.com; 'Kelvin Yiu'; 'Gervase 
> Markham'; 'Ryan Sleevi'
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>
> Is this interest applicable to this ballot only or as a rule?
>
> Thanks,
> M.D.
>
> On 5/9/2014 11:58 PM, Jeremy Rowley wrote:
>> And I agree with Rick's question.  Since Mozilla and Microsoft voted
> against
>> the proposal. I'd be especially interested in hearing what they would 
>> consider an acceptable alternative to a telephone number.
>>
>> Jeremy
>>
>> -----Original Message-----
>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>> Sent: Friday, May 9, 2014 2:54 PM
>> To: richard.smith at comodo.com; 'Jeremy Rowley'; 'Kelvin Yiu'; 'Gervase 
>> Markham'; 'Ryan Sleevi'
>> Cc: public at cabforum.org
>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of Communication
>>
>> Excellent point, Rich.
>> I'd love if we required an alternative/suggestion with every NO. And 
>> would be a rule.
>> Unfortunately for this specific ballot I didn't have a good answer, 
>> hence why voted "abstain".
>>
>> I thought the proposal would have been much convincing if someone 
>> could show us how it'd work for a REAL life case (see attached pic).
>>
>> Thanks,
>> M.D.
>>
>> On 5/9/2014 11:18 PM, Rich Smith wrote:
>>> OK, so we kicked this around in the EV WG for quite some time.  We 
>>> discussed, questioned, and came up with what we still think is a
>> reasonable
>>> update to the Guidelines to address a REAL issue.  I hear a lot of 
>>> NOs
> and
>> a
>>> lot of what ifs.  Does anyone have what they think is a viable and 
>>> reasonable alternative or an actual suggestion as to how we can 
>>> modify to come up with a ballot that you would support?
>>> -Rich
>>>
>>>> -----Original Message-----
>>>> From: public-bounces at cabforum.org
>>>> [mailto:public-bounces at cabforum.org]
>>>> On Behalf Of Moudrick M. Dadashov
>>>> Sent: Friday, May 09, 2014 3:55 PM
>>>> To: Jeremy Rowley; 'Kelvin Yiu'; 'Gervase Markham'; 'Ryan Sleevi'
>>>> Cc: public at cabforum.org
>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of 
>>>> Communication
>>>>
>>>> Hi Jeremy,
>>>>
>>>>
>>>> That was a test case for EV verification, Jeremy, what would 
>>>> prevent issuing EV SSL to one these paper companies?
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>> On 5/9/2014 10:09 PM, Jeremy Rowley wrote:
>>>>> If that's an acceptable result from your verification of physical 
>>>>> existence,
>>>> you may have heard we are not issuing EV certs yet, nevertheless 
>>>> our verification procedure always starts with the authentication of 
>>>> applicant's representative (natural person).
>>>>> may you should consider re-evaluating your (and your auditor's)
>>>> Thanks for the lesson Jeremy, I'm glad you advised.
>>>>
>>>> In fact that was a test case, what would prevent you to issue an EV 
>>>> cert for one of these businesses, keeping in mind the geographic 
>>>> distance.
>>>>
>>>> Thanks,
>>>> M.D.
>>>>
>>>>> understanding of Section 11.4.1.
>>>>>
>>>>> Jeremy
>>>>>
>>>>> -----Original Message-----
>>>>> From: Moudrick M. Dadashov [mailto:md at ssc.lt]
>>>>> Sent: Friday, May 9, 2014 12:00 PM
>>>>> To: Kelvin Yiu; Jeremy Rowley; 'Gervase Markham'; 'Ryan Sleevi'
>>>>> Cc: public at cabforum.org
>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of 
>>>>> Communication
>>>>>
>>>>> +1
>>>>>
>>>>> As an illustration attached please find legal/physical existence 
>>>>> of 100s of companies.
>>>>>
>>>>> Thanks,
>>>>> M.D.
>>>>>
>>>>> On 5/9/2014 8:13 PM, Kelvin Yiu wrote:
>>>>>> I don't think CAs are being asked to keep using landlines to 
>>>>>> verify
>>>>> physical existence. The question is what do you replace it with, 
>>>>> if any for the physical existence test?
>>>>>> Kelvin
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
>>>>>> Sent: Friday, May 9, 2014 9:54 AM
>>>>>> To: 'Gervase Markham'; 'Ryan Sleevi'
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: RE: [cabfpub] Ballot 122 - Verified Method of 
>>>>>> Communication
>>>>>>
>>>>>> Every policy reaches a point where additional steps add 
>>>>>> complexity without
>>>>> providing an equivalent increase in assurance.  In my opinion,
>>>> relying
>>>>> on a telephone number for physical existence is that point.  CAs 
>>>>> already verify physical existence using an actual registered 
>>>>> physical address of the applicant (PO boxes are prohibited).  The 
>>>>> verification process is quite rigorous. Further requiring a phone 
>>>>> number only serves to lock businesses into an increasingly archaic 
>>>>> business
>>>> structure and inhibit CA innovation.
>>>>> Ultimately, this all means that replacing the telephone with  an 
>>>>> additional certitude on physical existence is not really necessary.
>>>>>> The working group discussed removing this section completely as 
>>>>>> an
>>>>> unnecessary additional step.  However, we ultimately still saw 
>>>>> value in the check as a means for establishing a reliable method 
>>>>> of communication with the subscriber.  Unfortunately, unlike most 
>>>>> of the EV Guidelines, the telephone requirement relies on a 
>>>>> specific form of
>>>> technology, a land line.
>>>>>> If the physical existence verification is still a concern for 
>>>>>> Mozilla, can
>>>>> you provide guidance on what you'd consider acceptable?  We really 
>>>>> need to get something in place to account for the move away from 
>>>>> corporate telephone numbers.
>>>>>> Jeremy
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Gervase Markham [mailto:gerv at mozilla.org]
>>>>>> Sent: Friday, May 9, 2014 3:00 AM
>>>>>> To: Ryan Sleevi; jeremy rowley
>>>>>> Cc: ben at digicert.com; Kelvin Yiu; public at cabforum.org
>>>>>> Subject: Re: [cabfpub] Ballot 122 - Verified Method of 
>>>>>> Communication
>>>>>>
>>>>>> On 09/05/14 02:18, Ryan Sleevi wrote:
>>>>>>> Considering that a significant part of the "extended" 
>>>>>>> verification is asserting the physical existence of the 
>>>>>>> subscriber, I have to respectfully disagree here.
>>>>>> I think this is the heart of the question of whether this change, 
>>>>>> in
>>>>> principle, is reasonable (that's as opposed to smaller discussions 
>>>>> about appropriate comms methods).
>>>>>> In today's world, does the phone number check add significantly 
>>>>>> to the
>>>>> certitude the CA has about the physical existence of the 
>>>>> subscriber
>>>> at
>>>>> the address from the QIS? If not, then this ballot is OK. If it 
>>>>> does, then how do we replace that additional certitude, for 
>>>>> companies who don't have a landline? Are they inherently more 
>>>>> fly-by-night, or do
>>>> we
>>>>> just need to find different ways of acquiring that certitude. If 
>>>>> we need to find those ways, let's find them and implement them in 
>>>>> the same move as relaxing this requirement.
>>>>>>> What are the assurances of extended verification for relying
>>>> parties
>>>>>>> under this justification? What does it matter that the CA has a 
>>>>>>> reliable means to contact the Subscriber if the RP doesn't?
>>>>>> As someone else pointed out, this phone number is not put in the 
>>>>>> cert, so
>>>>> the RP is no worse off. Phone numbers are also reasonably 
>>>>> ephemeral today, even land lines. A registered physical place of 
>>>>> business seems to me to be the correct way to "nail down" a 
>>>>> particular
company.
>>>>>> Gerv
>>>>>>
>>>>>> _______________________________________________
>>>>>> Public mailing list
>>>>>> Public at cabforum.org
>>>>>> https://cabforum.org/mailman/listinfo/public
>>
>
>

More information about the Public mailing list