[cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing

Wayne Thayer wthayer at mozilla.com
Wed Nov 29 17:44:26 UTC 2017


The EV process is intended to gather a robust body of information about the
Subject that, when viewed collectively, "provides users with a trustworthy
confirmation of the identity of the entity". James and later Ryan have
pointed out a weakness in the standard where incorrect data from a single
data source (QGIS) could be used to obtain a "properly validated" EV
certificate containing that incorrect data.

A positive outcome from this discussion would be for the Validation WG to
review this information and propose changes to the EVGLs (such as a
requirement for face-to-face validation mentioned by Jeremy) that mitigate
this weakness.

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171129/888cf237/attachment-0003.html>


More information about the Public mailing list