[cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing

Geoff Keating geoffk at apple.com
Mon Dec 4 14:12:12 MST 2017



> On 4 Dec 2017, at 12:51 pm, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> 
> Geoff, a few quick responses to your points below:
> 
> 1. I think you are proposing the CA confirm the address information by sending (mail, delivery) a confirmation message with a shared secret to the customer, and requiring a response back using the shared secret.  I think that's a good idea - it might get problematic for a big company (for Apple, we might have to mail to you at 1 Infinity Loop - how long would it take for you to receive it?).

No—this section is verification of ‘Applicant’s Physical Existence’, so this would be (i)(2), a site visit confirming such things as permanent signage.  The ability to receive mail is not what that section is trying to check; drop boxes, PO boxes, and such are not good enough.

> 2.  We can also require a Face-to-Face requirement to discourage potential fraudsters, maybe limited to companies less than 1 year old (less than 6 months old?) and with net worth (as reported in a third party business data source) of less than $1 million (?) - financial estimates like that are made by the third party data source, and are not self-reported.  Maybe we also should limit the mailing address confirmation the same way - only require for companies that are less than 1 year old (6 months old?) and with new worth (as reported in a third party business data source) of less than $1 million.  

Again, I’m not sure what a face-to-face would be verifying.  This isn’t about existence of the person, it’s about the business.

> 3.  Geoff, while it's true that third party data sources will start with self-reported data (like name and address), the rest of the data they use is typically compiled by the third party data source, not just from self-reported data or copied from public government data bases.

Yes… but we don’t require any of that other data, just the name and address.

>  Remember, the main customers of Hoover's and D&B are using the data to make major credit decisions, not just to confirm addresses or incorporation status, and the third party data sources use their own data (including credit reporting from vendors who work with the subject company) and their own anti-fraud algorithms to avoid broadcasting false data.  

Well, maybe we could require an actual credit check, then?  Or at least existence of a bank account?  Banks are required to do their own verification so I’d think the existence of a bank account with that address should count for something.  But a bank usually won’t release the physical address, only the mailing address…

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171204/59965b52/attachment-0001.p7s>


More information about the Public mailing list