Hi Jean-Marc, Jean-Marc Desperrier wrote: > Eddy Nigg (StartCom Ltd.) wrote: >> Really? Why is that? Personally I tend to trust individuals more then >> "companies" which can come and go within a matter of days! >> > > > But if you can not do a face to face meeting, they are usually very few > publicly available registries where an individual must be registered and > that you can use to check the validity of his info. Whereas they are > several for companies. I don't know from where exactly you have this knowledge but let me assure you, that information about individuals are by far more readily available:
A person gets usually registered at the day he/she is born. Interior ministries have records. Municipalities have records. Tax offices have records. Social insurances and benefits have records. Police have records. Military have records. Health institutions have records. Phone companies have records. Embassies have records. An endless list.... Additionally individuals have many social and physical needs, whereas a company has none. A company doesn't need a health insurance, pension plan, hospital visits etc. etc. Also from a legal aspect, a company has usually limited liabilities and I would like to see how you sue a company which closed (all legal after all) yesterday. > > >>> Next page ask me to enter a Surname/First Name/Phone number for >>> Technical Contact, and an Admin Contact Person with email, Street & >>> number, and Phone number in addition to the Payment Method info. >>> So the question is will they properly identify and reject a non >>> responding number or a cell phone number ? >>> >> And if the phone number is a public phone around the corner? Or a >> cell-phone for rent? Is this verified by a third party that the number >> belongs to the person/company in question? >> Your reply below is somewhat out of context, because you reported about various CAs, in particular about GlobalSign: "I'm really worried it might be little more than accepting any valid credit card". I just wanted to point out the fact that if the phone number isn't verified with a third party, than any phone callback is useless. > > Public phone already are a bit painful, you will need to have someone > constantly by the phone to answer it for a period that may last several > days, unless it's highly predictable when the CA will call back. But of > course if cell-phone for rent, or prepaid phone are accepted, it becomes > extremely easy. > > So a good policy must do that sort of checks, and you'll find them > inside the EV certificate procedure : > &14/b/1 > "All items listed in subsection (a)(1) above MUST > be verified directly [...] or [...] using an address or phone number > obtained from a Qualified Independent Information Source." > > Note that the logic is reversed. You don't check the phone provided > belongs to the company, but you check that you can use the phone number > given by an authoritative source to contact the person who requested the > certificate. > > The trouble is that you can not really do the same for an individual. > Just a little later in the doc, the EV procedure describes how to > authentify an individual, and it starts with "face to face meeting". > -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
