Companies House ( http://resources.companieshouse.gov.uk/serviceInformation.shtml#compInfo) says "We carry out basic checks on documents received to make sure that they have been fully completed and signed, but we do not have the statutory power or capability to verify the accuracy of the information that companies send to us. The fact that the information has been placed on the public record should not be taken to indicate that Companies House has verified or validated it in any way."
Dun and Bradstreet takes a copy of this information without any verification checking and can be easily updated here https://www.dnb.co.uk/utility-pages/data-update.html again without any verification checks. When a CA is vetting an organization for an EV certificate, what information is actually vetted? Does the organization operate at that address? Am I actually speaking to the director James Burton in the verification call? The correct way to vet a UK company would be to: 1. The CA checks Companies House to check if the company is incorporated. 2. The CA sends a letter with verification code to the company address listed on Companies House. 3. The CA requests the company to send them a bank statement / tax bill to prove operation. 4. Once the company has sent the information provided in (3) and is it confirmed by CA then (5) otherwise (3). 5. Once the company receives the letter with verification code then (6) otherwise vetting on hold until company receives letter with verification code. 6. The CA initiates video call with the director at the listed at Companies House and then the CA does the following: a) Asks the director to hold up his/her passport to the side of their face to confirm that the face matches the passport photo and then the CA confirms the details such full name and DOB matches the information printed on the passport. b) The CA asks the director to hold up the verification letter in front of the camera to confirm company address. c) The CA then calls the company number listed on 3rd party register (automated phone call like Google verification phone call) and the director tell that verification code to the CA to confirm the phone number is belongs to the company. d) Signs the agreement. 7. That's it. On Tue, Aug 27, 2019 at 9:21 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 27/08/2019 08:03, Peter Gutmann wrote: > > Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > > >> <https://www.typewritten.net/writer/ev-phishing/> and > >> <https://stripe.ian.sh/> both took advantage of weaknesses in two > >> government registries > > > > They weren't "weaknesses in government registries", they were registries > > working as designed, and as intended. The fact that they don't work in > > they way EV wishes they did is a flaw in EV, not a problem with the > > registries. > > > > "Working as designed" doesn't mean "working as it should". > > The confusion that could be created online by getting EV certificates > matching those company registrations were almost the same as those that > could be created in the offline world by the registrations directly. > > > >> Both demonstrations caused the researchers real name and identity to > become > >> part of the CA record, which was hand waved away by claiming that could > >> have been avoided by criminal means. > > > > It wasn't "wished away", it's avoided without too much trouble by > criminals, > > see my earlier screenshot of just one of numerous black-market sites > where > > you can buy fraudulent EV certs from registered companies. Again, EV may > > wish this wasn't the case, but that's not how the real world works. > > > > The screenshots you showed were for code signing EV certificates, not > TLS EV certificates. They seem related to a report a few years ago that > spurned work to check the veracity of those screenshots and create > appropriate countermeasures. > > >> 12 years old study involving en equally outdated browser. > > > > So you've published a more recent peer-reviewed academic study that > > refutes the earlier work? Could you send us the reference? > > > > These two studies are outdated because they study the effects in a > different overall situation (they were both made when the TLS EV concept > had not yet been globally deployed). They are thus based on entirely > different facts (measured and unmeasured) than the situation in 2019. > > Very early in this thread someone quoted from a very recent study > published at usenix, comparing the prevalence of malicious sites with > different types of certificates. The only response was platitudes, > such as a emphasizing a small number being nonzero. > > Someone is trying very hard to create a fait acompli without going > through proper debate and voting in relevant organizations such as > the CAB/F. So when challenged they play very dirty, using every > rhetorical trick they can find to overpower criticism of the action. > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
