Nelson B Bolyard wrote:
> Bruce wrote, On 2008-06-06 14:46:
<snip>
>> Business ID is generally performed through third party database look-
>> ups. Individual ID is accepted by fax.
>
> Is that good enough for Individual ID?
> Can you detect if an individual faxes a stolen ID?
Before we go too far down this path... I believe that having people fax
in identity documents (whether individual or corporate) is a fairly
common and accepted practice in the CA world. Unless someone can show me
that I'm wrong and that Entrust's practices are significantly out of
line with the rest of the industry, this is not an issue I'd see as
relevant for this particular request.
This touches on the point I made earlier about "reasonable measures" as
used in our CA policy, and the term "commercially reasonable" as used in
US and Canadian legal contexts. The contrasting legal term to
"commercially reasonable" is "best efforts", which is a more stringent
standard implying (in a CA context) that the CA would take pretty much
any and all measures practicable to verify identity ("leave no stone
unturned") and would strive to minimize as much as possible the
possibility of accepting a fraudulent application.
In my opinion the level of verification for IV/OV certs, as practiced in
the CA industry and required by our policy, corresponds to a
"commercially reasonable efforts" standard. If we want to apply a "best
efforts" standard then IMO that's what EV is for.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
