On Jun 6, 9:34 am, "Eddy Nigg (StartCom Ltd.)" <[EMAIL PROTECTED]> wrote: > Hi Bruce, > > Bruce: > > > > > All Organization Validated SSL certificates are issued using a three > > part process. The applicant's business name is validated against a > > third party database (e.g. D&B or government registry). Domain names > > are validated via a WHOIS lookup to ensure that the domain is > > registered to the business or that the applicant has the right to use > > the domain (i.e. parent or subsidiary company of registrant). Finally, > > an employee of the applicant is contacted through a phone number found > > in a third party source to confirm authorization to issue the > > certificate. See the Entrust enrollment guide for more details on the > > verification > > processhttp://www.entrust.net/ssl-resources/pdf/ssl-wap-enrollment-guide.pdf. > > This process is audited as part of our WebTrust for CA audit. FYI, > > Entrust does not issue Domain-only Validated SSL certificates. > > Thank you for providing us with this information. If I understand > correctly (also according to the enrollment guide) if the WHOIS records > don't match those of the subscriber, the process is stopped and the > request rejected? Therefore the example I made previously wouldn't be > acceptable? > > Also, do you request from subscribers to actually see some documents, > like photo ID and company registration confirmation or similar? And how > do you make sure that the subscriber is authorized for requesting a > certificate? Also it seems that you rely only on confirming the > (organization) details with that of the relevant authority (like company > registry)? Are there any other cross-verifications you perform in order > to establish sufficient authorization and privileges by the subscriber? > > The reason I'm asking is because it appears to me that you don't perform > some kind of administrative privilege check to verify domain ownership > (and control), instead you rely on information provided by the > subscriber and a phone call to the number you found in the phone > directory for that business (and most likely by requesting to speak with > the person who submitted the request). > > In that respect, domain validation by automated means isn't such a bad > thing to establish initial authorization and control over the domain. > > Regards > Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> > Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> > Blog: Join the Revolution! <http://blog.startcom.org> > Phone: +1.213.341.0390
You are correct, if the WHOIS records do not match then the process is stopped. In the case of a private domain registration as per your Domains by Proxy example, we would confirm via another method such as 1) through the registar (Domains by Proxy provides this service), 2) have domain information made public, 3)communication with the registrant through the registrar. Business ID is generally performed through third party database look- ups. Individual ID is accepted by fax. Authorization is confirmed by calling an authorizing contact at the business that has registered the domain. This is an additional contact to the certificate requester. Regards, Bruce. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
