On 22/01/18 18:37, Jonathan Rudenberg via Public wrote: h> The phone number in a D&B record that matches the Registrant > Organization and address from the WHOIS does not indicate domain > control, all it indicates is that someone put a record into the D&B > database. There are >25 results matching ‘Apple’ with an address in > California in the D&B database, so clearly they don’t do any > duplicate prevention, which makes sense because business entity names > are not unique. This means that anyone who can either a) create a new > D&B entry that would match your search or b) edit an existing D&B > entry matching your search has the ability to receive certificates > using this method. Obviously neither a) or b) indicate domain > control, so this method is completely inadequate.
This isn't a killer if Step 5 becomes: Step 5: Vetting team calls the Applicant Authorization Contact, Curt Spann, using the phone number shown in the WHOIS record for Apple, Inc. found in Step 3 – 408-996-1010. Then there is a link between domain control and the phone number called to reach the Authorization Contact. > Additionally, even without any changes to the D&B database, there is > no link between the Applicant Authorization Contact and domain > control. This means that anyone accessible via the phone number in > D&B can authorize the issuance of a certificate. So if the phone > number is a corporate switchboard, anyone in the phone directory, > including janitorial staff, interns, and temporary contractors would > be capable of authorizing certificate issuance if their name was > specified as the Applicant Authorization Contact. Yes, I noticed this one too. WHOIS does not provide the name of a real person to talk to, so one might argue you have to email the address given in WHOIS - and then, of course, you are using a different method. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
