Gerv, interesting. I'd also be interested in looking more into the areas you highlighted. Thanks, Mike
-----Original Message----- From: Public [mailto:[email protected]] On Behalf Of Gervase Markham via Public Sent: Thursday, September 14, 2017 6:08 AM To: CABFPub <[email protected]> Subject: [cabfpub] Obtaining an EV cert for phishing As noted in the Paypal/Let's Encrypt meeting yesterday, James Burton has published a blog post claiming that it's not difficult to get a fraudulent EV certificate: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2F0.me.uk%2Fev-phishing%2F&data=02%7C01%7CMike.Reilly%40microsoft.com%7C19c7834736cd435f5ba808d4fb719dce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636409912791234243&sdata=GWoLT0hg1bdiuKm%2FN4tjDad3Jv2cZO5xf7lYmPaEdDI%3D&reserved=0 Now, they didn't actually get a fraudulent one, and it did take them a few days and a reasonable amount of manual work, but if we accept for the sake of argument their claim that valid stolen personal ID can be obtained online easily, it does seem that the other steps are not too onerous. As someone noted at the meeting, fraudsters often don't pay for things with their own money. To my mind, the "cost" of EV is in the requirement to either reveal your true identity, or to spend prohibitive time on a successful effort to fool the checks. I hope we can use this as a learning experience. Because a certificate was not misissued, there is no obligation on them to do so, but I hope that in the cause of making EV better, Symantec would be willing to discuss their EV verification steps and what happened in this case, so we can look and see if the EV process needs improving. Some areas I'd particularly like to consider: 11.4: Verification of Applicant’s Physical Existence. How was that done in this case, and what was the address which was verified? 11.6: Verification of Applicant’s Operational Existence. How was that done in this case? Which clause of 11.6.2 was used? What were the results? Gerv _______________________________________________ Public mailing list [email protected] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic&data=02%7C01%7CMike.Reilly%40microsoft.com%7C19c7834736cd435f5ba808d4fb719dce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636409912791234243&sdata=%2B7%2FuFLsCO4Q1THxLMFgWNRasgL2zOlVOkt1rWeKNYbI%3D&reserved=0 _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
