Interesting idea, Wayne – we already have a process in the EV Guidelines for doing Face-to-Face Validation for individuals at EVGL 11.2.2(4)(A), but it’s not required in all cases. Maybe this is as simple as adding that as a requirement in all cases for EV certs.
From: Wayne Thayer [mailto:[email protected]] Sent: Wednesday, November 29, 2017 9:44 AM To: Ryan Sleevi <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Cc: Kirk Hall <[email protected]> Subject: Re: [cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing The EV process is intended to gather a robust body of information about the Subject that, when viewed collectively, "provides users with a trustworthy confirmation of the identity of the entity". James and later Ryan have pointed out a weakness in the standard where incorrect data from a single data source (QGIS) could be used to obtain a "properly validated" EV certificate containing that incorrect data. A positive outcome from this discussion would be for the Validation WG to review this information and propose changes to the EVGLs (such as a requirement for face-to-face validation mentioned by Jeremy) that mitigate this weakness. Wayne
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
