* Gervase Markham: > Florian Weimer wrote: >> Organizations not on this list can usually get an EV certificate >> through a corporate sponsor. The EV process does not verify that the >> party to which the certificate is issued is the actual end user, or >> that it is the legal entity which controls the domain name mentioned >> in the Common Name field. > > That's simply incorrect. EV Guidelines version 1.1, sections 3.a.2.C, > 6.a.2, 13.a.2 and, primarily, section 18 all refer to the requirement to > check that the applicant is the registered holder of the domain name. > http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf
Section 18 does not require that the domain holder is aware of the application. This is a loophole, but a necessary one, because WHOIS service is not globally available. (I was not referring to this loophole, though; my point is that it's possible to game the EV process so that parties nominally not able to get EV certificates can get them.) Section 18 also treats DNS as a two-level hierarchy (TLDs and domain names), which is an oversimplification, but I'm not sure how likely this will cause any problems. But is it really true that Mozilla Corporation has exclusive control over the mozilla.org domain, as implied by the addons.mozilla.org EV certificate? The web sites indicates that it (the site) belongs to the Mozilla Foundation, and that mozilla.com is Mozilla Corporation's domain. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
