Eddy Nigg (StartCom Ltd.) wrote: > Jean-Marc Desperrier wrote: >> Any CA that accepts to deliver code signing certificate to individuals >> and not companies will have an extremly hard time doing a high quality >> identity verification. >> > Really? Why is that? Personally I tend to trust individuals more then > "companies" which can come and go within a matter of days!
If you can do a face to face meeting with a person, if you can confirm what his job is, where his home is, if you grasp elements about him that he is very unlikely to just walk away from, yes, you can trust him more that a company whose stability you did not check. But if you can not do a face to face meeting, they are usually very few publicly available registries where an individual must be registered and that you can use to check the validity of his info. Whereas they are several for companies. And they usually also allow to check how long the company has been in existence, as well as other points that help you minimize the risk the company will be gone in a few days. >> Next page ask me to enter a Surname/First Name/Phone number for >> Technical Contact, and an Admin Contact Person with email, Street & >> number, and Phone number in addition to the Payment Method info. >> So the question is will they properly identify and reject a non >> responding number or a cell phone number ? > And if the phone number is a public phone around the corner? Or a > cell-phone for rent? Is this verified by a third party that the number > belongs to the person/company in question? Public phone already are a bit painful, you will need to have someone constantly by the phone to answer it for a period that may last several days, unless it's highly predictable when the CA will call back. But of course if cell-phone for rent, or prepaid phone are accepted, it becomes extremely easy. So a good policy must do that sort of checks, and you'll find them inside the EV certificate procedure : &14/b/1 "All items listed in subsection (a)(1) above MUST be verified directly [...] or [...] using an address or phone number obtained from a Qualified Independent Information Source." Note that the logic is reversed. You don't check the phone provided belongs to the company, but you check that you can use the phone number given by an authoritative source to contact the person who requested the certificate. The trouble is that you can not really do the same for an individual. Just a little later in the doc, the EV procedure describes how to authentify an individual, and it starts with "face to face meeting". _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
