[cabfpub] Obtaining an EV cert for phishing
ben.wilson at digicert.com
Tue Nov 28 17:50:29 UTC 2017
Gerv wrote: I would say that the EV Guidelines allow EV issuers to trust things which are QGISes because there's an assumption that information in a Government information source will have had some level of checking.
I'd disagree. QGISes are relied upon because everyone relies on them because lying to the government is a crime.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Tuesday, November 28, 2017 10:46 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; James Burton <james at sirburton.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Obtaining an EV cert for phishing
On 28/11/17 17:03, Kirk Hall wrote:
> Thanks for the additional information, James. In the end, the EV
> Guidelines did exactly what they were designed to do – they provided a
> way for the public to find you (as the company owner) if you used your
> EV certificate and domain to do something wrong.
They did, but only because he was honest. He is pointing out that it may not be difficult, due to the lack of checking, for a dishonest person to use fake information. I do think that's an issue of concern.
I would say that the EV Guidelines allow EV issuers to trust things which are QGISes because there's an assumption that information in a Government information source will have had some level of checking. But it seems from this experience that this is not true in all cases. That concerns me. Do we have to agree that Companies House is not a valid QGIS?
This is not a phishing issue, it's a more general "integrity of the EV process" issue.
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4934 bytes
Desc: not available
More information about the Public