> On 4 Dec 2017, at 12:51 pm, Kirk Hall <[email protected]> wrote: > > Geoff, a few quick responses to your points below: > > 1. I think you are proposing the CA confirm the address information by > sending (mail, delivery) a confirmation message with a shared secret to the > customer, and requiring a response back using the shared secret. I think > that's a good idea - it might get problematic for a big company (for Apple, > we might have to mail to you at 1 Infinity Loop - how long would it take for > you to receive it?).
No—this section is verification of ‘Applicant’s Physical Existence’, so this would be (i)(2), a site visit confirming such things as permanent signage. The ability to receive mail is not what that section is trying to check; drop boxes, PO boxes, and such are not good enough. > 2. We can also require a Face-to-Face requirement to discourage potential > fraudsters, maybe limited to companies less than 1 year old (less than 6 > months old?) and with net worth (as reported in a third party business data > source) of less than $1 million (?) - financial estimates like that are made > by the third party data source, and are not self-reported. Maybe we also > should limit the mailing address confirmation the same way - only require for > companies that are less than 1 year old (6 months old?) and with new worth > (as reported in a third party business data source) of less than $1 million. Again, I’m not sure what a face-to-face would be verifying. This isn’t about existence of the person, it’s about the business. > 3. Geoff, while it's true that third party data sources will start with > self-reported data (like name and address), the rest of the data they use is > typically compiled by the third party data source, not just from > self-reported data or copied from public government data bases. Yes… but we don’t require any of that other data, just the name and address. > Remember, the main customers of Hoover's and D&B are using the data to make > major credit decisions, not just to confirm addresses or incorporation > status, and the third party data sources use their own data (including credit > reporting from vendors who work with the subject company) and their own > anti-fraud algorithms to avoid broadcasting false data. Well, maybe we could require an actual credit check, then? Or at least existence of a bank account? Banks are required to do their own verification so I’d think the existence of a bank account with that address should count for something. But a bank usually won’t release the physical address, only the mailing address…
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
