EV certs: Doing more of what we already know doesn't work

[Peter Gutmann]

Inspired by Ian Grigg's comment (in the subject line) and various remarks made
in a recent thread, I had a look at the Verisign 1.0 CPS from 1996 and the
very latest Verisign CPS from June 2008, twelve years later.  Here's the
authentication requirements for businesses.  One is from the 1.0 CPS, which
was going to Solve the Problem twelve years ago.  The other is from the 2008
EV-cert CPS, which is going to Solve the Problem today.  Without going out to
check, see if you can tell which is which.  I've harmonised the style and
wording a bit since it's otherwise possible to make a pretty good guess based
on the form of the text, the current CPS has way more legalese:

  Where required, the third party confirms the business entity's name,
  address, and other registration information through comparison with third-
  party databases and through inquiry to the appropriate government entities.
  Confirmation of information of companies, banks, and their agents requires
  certain customized (and possibly localized) procedures focusing on specific
  business-related criteria (such as proper business registration). The third
  party also provides telephone numbers that are used for out-of-band
  communications with the business entity to confirm certain information (for
  example, to confirm an agent's position within the business entity or to
  confirm that the particular individual listed in the application is in fact
  the applicant). If its databases do not contain all the information
  required, the third party may undertake an investigation, if requested by
  the IA, or the certificate applicant may be required to provide additional
  information and proof.

  The third party must be a legally recognized entity whose formation included
  the filing of certain forms with the Registration Agency in its
  Jurisdiction, the issuance or approval by a Registration Agency of a
  charter, certificate, or license, and whose existence can be verified with
  that Registration Agency, and must have a verifiable physical existence and
  business presence.  If the third party represents itself under an assumed
  name, VeriSign verifies the third party's use of the assumed name.

The only difference I can see is that one CPS exhaustively itemises the
various bits and pieces that are checked whereas the other gives it in general
terms, I've left out the list itself because it'd make this a five-page
posting with not a lot more content.  If you want to see the verification
requirements for yourself, they're in section 5.1.3 (old CPS) and Appendix B1
5(c) with an almost-identical copy at 14(C) with more detail in sections that
follow (new CPS).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com