[cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing

Ryan Sleevi sleevi at google.com
Wed Nov 29 18:58:56 UTC 2017


You are correct that 11.2.2(4)(A) does not require that, because 11.2.2(4)
is limited to a specific type of subject, rather than corporate or
government identities (11.2.2(1) and (3), and 11.2.2.(4), respectively).
This is not surprising, as corporate legal persons do not themselves
constitute natural persons that you can meet F2F with.

I think if that's something of value - and again, I question that premise
itself - then I think it's worth noting that the F2F method you describe
allows for a Registration Agency (a QGIS...) to do that. If the Validation
WG were to do that, then it seems like it would also be necessary to
maintain an open, community database of Registration Agencies that one or
more CAs have deemed to fulfill or not fulfill the F2F validation
requirements, as otherwise, the level of assurance in insufficient when
considering a holistic system that allows two CAs to reach different
conclusions about the same Registration Agency's process.

And much like the questioning of the utility of QGIS's and their use as a
single source of information, we'd have simply moved the weak link from
being the QGIS to the means or method of which the CA attests to the
independence of the Third-Party Validator (which 11.2.2(4)(B) allows the CA
to do at its discretion) if we are to make a meaningful statement about the
holistic value of EV.

On Wed, Nov 29, 2017 at 1:33 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> Interesting idea, Wayne – we already have a process in the EV Guidelines
> for doing Face-to-Face Validation for individuals at EVGL 11.2.2(4)(A), but
> it’s not required in all cases.  Maybe this is as simple as adding that as
> a requirement in all cases for EV certs.
>
>
>
> *From:* Wayne Thayer [mailto:wthayer at mozilla.com]
> *Sent:* Wednesday, November 29, 2017 9:44 AM
> *To:* Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> *Cc:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
> *Subject:* Re: [cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing
>
>
>
> The EV process is intended to gather a robust body of information about
> the Subject that, when viewed collectively, "provides users with a
> trustworthy confirmation of the identity of the entity". James and later
> Ryan have pointed out a weakness in the standard where incorrect data from
> a single data source (QGIS) could be used to obtain a "properly validated"
> EV certificate containing that incorrect data.
>
>
>
> A positive outcome from this discussion would be for the Validation WG to
> review this information and propose changes to the EVGLs (such as a
> requirement for face-to-face validation mentioned by Jeremy) that mitigate
> this weakness.
>
>
>
> Wayne
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171129/4d0cfcd2/attachment-0003.html>


More information about the Public mailing list