[cabfpub] Obtaining an EV cert for phishing

Gervase Markham gerv at mozilla.org
Tue Nov 28 17:45:59 UTC 2017


Hi Kirk,

On 28/11/17 17:03, Kirk Hall wrote:
> Thanks for the additional information, James.  In the end, the EV
> Guidelines did exactly what they were designed to do – they provided a
> way for the public to find you (as the company owner) if you used your
> EV certificate and domain to do something wrong. 

They did, but only because he was honest. He is pointing out that it may
not be difficult, due to the lack of checking, for a dishonest person to
use fake information. I do think that's an issue of concern.

I would say that the EV Guidelines allow EV issuers to trust things
which are QGISes because there's an assumption that information in a
Government information source will have had some level of checking. But
it seems from this experience that this is not true in all cases. That
concerns me. Do we have to agree that Companies House is not a valid QGIS?

This is not a phishing issue, it's a more general "integrity of the EV
process" issue.

Gerv



More information about the Public mailing list