[cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Nov 29 18:33:54 UTC 2017


Interesting idea, Wayne – we already have a process in the EV Guidelines for doing Face-to-Face Validation for individuals at EVGL 11.2.2(4)(A), but it’s not required in all cases.  Maybe this is as simple as adding that as a requirement in all cases for EV certs.

From: Wayne Thayer [mailto:wthayer at mozilla.com]
Sent: Wednesday, November 29, 2017 9:44 AM
To: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing

The EV process is intended to gather a robust body of information about the Subject that, when viewed collectively, "provides users with a trustworthy confirmation of the identity of the entity". James and later Ryan have pointed out a weakness in the standard where incorrect data from a single data source (QGIS) could be used to obtain a "properly validated" EV certificate containing that incorrect data.

A positive outcome from this discussion would be for the Validation WG to review this information and propose changes to the EVGLs (such as a requirement for face-to-face validation mentioned by Jeremy) that mitigate this weakness.

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171129/0d4c7d1b/attachment-0003.html>


More information about the Public mailing list