[cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing
Kirk.Hall at entrustdatacard.com
Wed Nov 29 18:33:54 UTC 2017
Interesting idea, Wayne – we already have a process in the EV Guidelines for doing Face-to-Face Validation for individuals at EVGL 11.2.2(4)(A), but it’s not required in all cases. Maybe this is as simple as adding that as a requirement in all cases for EV certs.
From: Wayne Thayer [mailto:wthayer at mozilla.com]
Sent: Wednesday, November 29, 2017 9:44 AM
To: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing
The EV process is intended to gather a robust body of information about the Subject that, when viewed collectively, "provides users with a trustworthy confirmation of the identity of the entity". James and later Ryan have pointed out a weakness in the standard where incorrect data from a single data source (QGIS) could be used to obtain a "properly validated" EV certificate containing that incorrect data.
A positive outcome from this discussion would be for the Validation WG to review this information and propose changes to the EVGLs (such as a requirement for face-to-face validation mentioned by Jeremy) that mitigate this weakness.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public