[cabfpub] Obtaining an EV cert for phishing

Gervase Markham gerv at mozilla.org
Tue Nov 28 13:54:06 UTC 2017


On 27/11/17 19:52, Jeremy Rowley wrote:
> Basically, Symantec verified the organization using the UK companies
> house, which qualifies as a QGIS. Because it's a QGIS, the data
> source can be used to validate most of the requirements under the EV
> Guidelines, including address and legal existence.  The phone number
> was verified using QIIS and a call to the number, answered, of
> course, by the applicant. The result is James ended up forming a real
> company with fake address information. 

As I read his blog post, he formed it with real address information, but
his assertion is that it would have been just as easy to form it with
fake address information, as the address information is not validated by
Companies House in any way.

James: is that correct?

(BTW, as others have said, I'm not convinced that either rejecting
"suspicious" names, or requiring a landline, is the way forward here.)

Gerv



More information about the Public mailing list