Fwd: RE: Mozilla questions regarding the EV standard
Gervase Markham
editor (Kelvin Yiu); here are the responses. I hope I put the questions
correctly. If not, or if you have a follow-up question, you may want to
channel those through Frank, as I am away for the next three weeks.
<snip>
> 1) David Baron:
>
> Q: Does misrepresentation of identity automatically lead to certificate
> revocation?
[Kelvin Yiu] It should. The EV guidelines assume misrepresentation of
identity equates to non-compliance with applicable law (E.12.b.4), which
would violate the subscriber agreement (SA). Violation of the SA is a
reason for revocation (G.27.b.4). The EV guidelines currently does not
assume the availability of a real-time revocation mechanism. No browsers
has enabled revocation by default yet and the industry as a whole needs
more experience with operating OCSP on a 24x7 basis before we can
determine whether relying on real-time OCSP to mitigate short term
phishing attacks is realistic.
> After skimming some parts of the draft, my biggest concern here is
> the tension between B.2.a.1 and B.2.c.3, and its implications on
> when certificates would be revoked.
>
> In particular, I think misrepresentation of identity within a Web
> site that uses an EV cert must be grounds for revocation. B.2.a.1
> says that one of the primary purposes of a cert is to identify the
> legal entity behind a Web site. But I don't think the average
> consumer knows the exact name of the legal entity running every
> business they interact with.
>
> For example, suppose a company is formed called "Washington Banking,
> Inc.", and they apply for and obtain an EV cert under that name.
> They then write a Web site that uses the name and logo of Washington
> Mutual as part of a "phishing" attack. What percentage of consumers
> would know that the legal entities behind the bank they know as
> Washington Mutual are (based on the contents of
> http://www.wamu.com/personal/default.asp ) "Washington Mutual Bank",
> "Washington Mutual, Inc.", and other legal entities, but not
> "Washington Banking, Inc"?
[Kelvin Yiu] I understand the concern and this is something that we have
struggled with. The issue is that "Washington Banking, Inc" may be a
real legal entity doing legitimate business. At the time of certificate
issuance, the CA does not have the information to determine whether the
company is doing legitimate business. We also expect CAs to be
conservative and will likely investigate revocation requests thoroughly
so they don't shutdown a legitimate site by accident. Combine this with
the need to cache revocation information for scalability reasons, we
don't think revocation currently is an acceptable mechanism to shutdown
phishing sites quickly. For now, other anti-phishing features in the
browser (such as the anti-phishing feature in IE7) are more applicable
than EV certificates. Revocation remains a viable mechanism to ensure
bad certificates cannot be used in other scenarios over the medium and
long timeframe.
> It seems that given that preventing such an attack is excluded from
> the purposes of EV certificates and would not (I think, although I
> didn't follow all the pointers leading out of the revocation part of
> the spec) lead to revocation of the certificate. This seems like a
> problem.
>
> It seems like this spec overemphasizes the concept of "legal entity"
> when the real problem here is misrepresentation of identity. So
> shouldn't misrepresentation of identity, within any Web site served
> using an EV cert, be grounds for revocation of that cert? In other
> words, it seems to me that B.2.b.1 should be a primary purpose of EV
> certificates, and B.2.a.1 should be secondary.
[Kelvin Yiu] The emphasis on legal entity is to ensure the CA first
correctly identifies the company (corporation, LLC, LLP, etc), then
identifies whether it has registered the business name with a state and
verify the certificate requestor has the appropriate authority to
request a certificate. You cannot accurately verify other pieces of
information if you cannot accurately identify the entity.
> 2) Heikki Toivonen:
>
> Q: Why does the draft allow a CA to limit its liabilities even if it has
> not followed the EV guidelines?
[Kelvin Yiu] Limiting liability is in accordance with existing industry
practices. The fact is no one knows whether the liability limit is
actually legally enforceable.
> 3) Ben Bucksch:
>
> Q: How are the phone number and address linked? A phone number can be
> verified by calling it (16(b)(2)(A)+(C)). Then, this number can then be
> used to verify the signature, with "a response from someone who
> identifies themselves as such person confirming that he/she did sign the
> applicable document". Maybe I have overlooked something, but I could
> give them the address of eBay, but *my* phone number, sign the doc, and
> then when they call me, greet with "Ben Bucksch of eBay speaking" and
> confirm that I am a "Contract Signer" who is allowed to represent eBay
> and I did indeed sign the doc.
[Kelvin Yiu] 16.b.2.A+C is the case where the CA is doing a physical
site visit. While the site inspector is at the address taking pictures
and generally confirming the physical location (16.a.2.A.2), they call
the telephone number and see if the phone rings. If you give them Ebay's
real address and your own phone number, chances are the phone won't ring
at the Ebay receptionist's desk.
For a company like Ebay, they are likely to be listed in a commercial
database such as Dun and Bradstreet or the phone company directory. It
is far more likely (and cheaper) for the CA to call the phone number
listed in such a database (16.b.2.A+B) then to perform a site visit,
then call to verify the phone number.
Moreover, the EV guidelines also requires the CA to verify the authority
of the contract signer to represent the company, which requires one of
methods listed in 19.c (legal opinion, accountant letter, corporate
resolution, or a call to a senior corporate officer or director).
> Q: The language of 10 b) 3) is very hard to understand. Can this
> sentence be reworded to be more clear?
[Kelvin Yiu] Unfortunately 10.b.3 contains a lot of legalese. The terms
"natural person", "authorized agent" and "express authority" has
specific meaning legally but we'll see if we can simplify it in the next
draft. All it really means the contract signer must be a person who is
directly employed or otherwise is authorized by the company by other means.