You are correct that 11.2.2(4)(A) does not require that, because 11.2.2(4) is limited to a specific type of subject, rather than corporate or government identities (11.2.2(1) and (3), and 11.2.2.(4), respectively). This is not surprising, as corporate legal persons do not themselves constitute natural persons that you can meet F2F with.
I think if that's something of value - and again, I question that premise itself - then I think it's worth noting that the F2F method you describe allows for a Registration Agency (a QGIS...) to do that. If the Validation WG were to do that, then it seems like it would also be necessary to maintain an open, community database of Registration Agencies that one or more CAs have deemed to fulfill or not fulfill the F2F validation requirements, as otherwise, the level of assurance in insufficient when considering a holistic system that allows two CAs to reach different conclusions about the same Registration Agency's process. And much like the questioning of the utility of QGIS's and their use as a single source of information, we'd have simply moved the weak link from being the QGIS to the means or method of which the CA attests to the independence of the Third-Party Validator (which 11.2.2(4)(B) allows the CA to do at its discretion) if we are to make a meaningful statement about the holistic value of EV. On Wed, Nov 29, 2017 at 1:33 PM, Kirk Hall via Public <[email protected]> wrote: > Interesting idea, Wayne – we already have a process in the EV Guidelines > for doing Face-to-Face Validation for individuals at EVGL 11.2.2(4)(A), but > it’s not required in all cases. Maybe this is as simple as adding that as > a requirement in all cases for EV certs. > > > > *From:* Wayne Thayer [mailto:[email protected]] > *Sent:* Wednesday, November 29, 2017 9:44 AM > *To:* Ryan Sleevi <[email protected]>; CA/Browser Forum Public Discussion > List <[email protected]> > *Cc:* Kirk Hall <[email protected]> > *Subject:* Re: [cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing > > > > The EV process is intended to gather a robust body of information about > the Subject that, when viewed collectively, "provides users with a > trustworthy confirmation of the identity of the entity". James and later > Ryan have pointed out a weakness in the standard where incorrect data from > a single data source (QGIS) could be used to obtain a "properly validated" > EV certificate containing that incorrect data. > > > > A positive outcome from this discussion would be for the Validation WG to > review this information and propose changes to the EVGLs (such as a > requirement for face-to-face validation mentioned by Jeremy) that mitigate > this weakness. > > > > Wayne > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
