Frank Hecker:
Nelson B Bolyard wrote:
Is that good enough for Individual ID?
Can you detect if an individual faxes a stolen ID?
Before we go too far down this path... I believe that having people fax
in identity documents (whether individual or corporate) is a fairly
common and accepted practice in the CA world. Unless someone can show me
that I'm wrong and that Entrust's practices are significantly out of
line with the rest of the industry, this is not an issue I'd see as
relevant for this particular request.
This touches on the point I made earlier about "reasonable measures" as
used in our CA policy, and the term "commercially reasonable" as used in
US and Canadian legal contexts. The contrasting legal term to
"commercially reasonable" is "best efforts", which is a more stringent
standard implying (in a CA context) that the CA would take pretty much
any and all measures practicable to verify identity ("leave no stone
unturned") and would strive to minimize as much as possible the
possibility of accepting a fraudulent application.
In my opinion the level of verification for IV/OV certs, as practiced in
the CA industry and required by our policy, corresponds to a
"commercially reasonable efforts" standard. If we want to apply a "best
efforts" standard then IMO that's what EV is for.
A few things here:
According to the Mozilla CA policy we don't have to verify the IV/OV
procedures usually, because the policy doesn't require it. However - and
this is highly important to understand why and where also my experience
as a CA comes in - it is important when those validations (IV/OV) are
part of the validation procedure for domain, respectively email
ownership verification. If ownership and control of a domain (and email)
is performed by other means, it's not really important.
In this specific case it is important since no other procedure exists.
That's also the reason why I requested to know more about the procedures
performed by Entrust and its RAs. In this respect the question of Nelson
is legitimate because it's not beyond the scope of what Mozilla requires.
Now, the industry standard of accepting faxes and other phrases about
"reasonable measures", "best efforts" isn't really relevant if faxes
aren't up to today's reasonable possibilities. Faxes are really
something of the last century and today it's many times easier for the
customer to scan photo ID cards, passports etc. and provide them. Those
are of much higher quality usually and tools exist to detect retouching
and editing of originals which is very hard to do with faxes. Obviously
not the same as face-to-face verification, which however isn't really
feasible most of the times.
But even in this case, the documents relayed to the CA are really only
one of the pointers for successfully validating a person and/or
organization and in doubt there are other means to receiving this
information. The big question is usually, which effort the CA is willing
to make and how fast it gets satisfied in order to receive the payment.
Paradoxically, CAs are really getting their money from the wrong
parties, but nothing will change that.
About EV: Extended Validation isn't a "best effort", but a defined
procedure about how to do what. In my opinion, it isn't even the best a
CA can do and as with all OV validation where the organization is the
*only* part which is confirmed has very obvious shortcomings! If you
don't mind, read about it at https://blog.startcom.org/?p=94 where I
explained what it really means. Which is by the way not bad if the
relying party knows what it means too - which I doubt. In short, a "best
effort" you might find perhaps somewhere else, I'd rather say it's a
"defined and forced upon the CAs effort" ;-)
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
