* Eddy Nigg: > if the EV guidelines require a site visit
They don't, as far as I can tell. Evidence provided by a Qualified Indepedent Information Source (QIIS) is usually sufficent. Verisign seems to have copied this part of the guidelines verbatim. Now the interesting question is how much wiggle room there is in the definition of a QIIS. Looks like a lot to me, and I wouldn't be surprised if anyone had problems to say with certainty if certain WHOIS operators can serve as a QIIS. By the way, much of this could be sidestepped if CAs were required to publish all the evidence they have gathered together with the EV certificates they issue (in a complete list of certificates, not just those certificates that are actually used on popular sites). This way, everyone could review the strength of each CA's EV process. The peer pressure should be sufficient to ensure that everyone keeps their backyards clean. > EV is already flawed by the biggest certification authority Is the current certificate on https://www.verisign.com/ an EV certificate? It lacks a physical address, which is required by (my reading of) the guidelines. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security