* Gervase Markham: > Florian Weimer wrote: >> Section 18 does not require that the domain holder is aware of the >> application. > > Section 18 requires that the domain holder _be_ the applicant.
Some CAs disagree with this interpretation. Here's an example: Domain: seb-bank.de Domain-Ace: seb-bank.de Nserver: ns01.systemhaus.net Nserver: ns02.systemhaus.net Status: connect Changed: 2007-12-20T04:10:23+01:00 [Holder] Type: PERSON Name: SEB Card Service GmbH Address: Ben-Gurion-Ring 174 Pcode: 60437 City: Frankfurt am Main Country: DE Changed: 2007-12-20T02:38:07+01:00 [Admin-C] Type: PERSON Name: Silke Grassmann Address: SEB Card Service GmbH Address: Ben-Gurion-Ring 174 Pcode: 60437 City: Frankfurt Country: DE Changed: 2006-07-10T14:44:06+02:00 But the EV certificate was issued to "SEB AG", a different legal entity. (SEB AG, in turn, is part of Skandinaviska Enskilda Banken AB.) > "To verify Applicant's registration, or exclusive control, of the domain > name(s) to be listed in the EV certificate, the CA MUST ..." > > So the person who is the Applicant must either be the registrant of, or > have exclusive control of, the domain name. I can't see how you can read > it any other way. The methods listed there are alternatives, not simultaneous requirements. They must work with a diverse set of WHOIS conventions, ownership structures, and internal communication issues at the applicant. >> loophole, though; my point is that it's possible to game the EV >> process so that parties nominally not able to get EV certificates can >> get them.) > > Again, how? Find someone who is eligible for an EV certificate, ask them to get a certificate for your domain, and forward all communication related to the EV process to them, so that some of the required checks will succeed. This is probably what happened in the seb-bank.de case. >> But is it really true that Mozilla Corporation has exclusive control >> over the mozilla.org domain, as implied by the addons.mozilla.org EV >> certificate? The web sites indicates that it (the site) belongs to >> the Mozilla Foundation, and that mozilla.com is Mozilla Corporation's >> domain. > > The Mozilla Corporation is a wholly-owned subsidiary of the Mozilla > Foundation. This doesn't answer my question. It matters from the EV process point of view, and I think your records should show which entity actually owns the domain name. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
