Inspired by Ian Grigg's comment (in the subject line) and various remarks made in a recent thread, I had a look at the Verisign 1.0 CPS from 1996 and the very latest Verisign CPS from June 2008, twelve years later. Here's the authentication requirements for businesses. One is from the 1.0 CPS, which was going to Solve the Problem twelve years ago. The other is from the 2008 EV-cert CPS, which is going to Solve the Problem today. Without going out to check, see if you can tell which is which. I've harmonised the style and wording a bit since it's otherwise possible to make a pretty good guess based on the form of the text, the current CPS has way more legalese:
Where required, the third party confirms the business entity's name, address, and other registration information through comparison with third- party databases and through inquiry to the appropriate government entities. Confirmation of information of companies, banks, and their agents requires certain customized (and possibly localized) procedures focusing on specific business-related criteria (such as proper business registration). The third party also provides telephone numbers that are used for out-of-band communications with the business entity to confirm certain information (for example, to confirm an agent's position within the business entity or to confirm that the particular individual listed in the application is in fact the applicant). If its databases do not contain all the information required, the third party may undertake an investigation, if requested by the IA, or the certificate applicant may be required to provide additional information and proof. The third party must be a legally recognized entity whose formation included the filing of certain forms with the Registration Agency in its Jurisdiction, the issuance or approval by a Registration Agency of a charter, certificate, or license, and whose existence can be verified with that Registration Agency, and must have a verifiable physical existence and business presence. If the third party represents itself under an assumed name, VeriSign verifies the third party's use of the assumed name. The only difference I can see is that one CPS exhaustively itemises the various bits and pieces that are checked whereas the other gives it in general terms, I've left out the list itself because it'd make this a five-page posting with not a lot more content. If you want to see the verification requirements for yourself, they're in section 5.1.3 (old CPS) and Appendix B1 5(c) with an almost-identical copy at 14(C) with more detail in sections that follow (new CPS). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]