<div>Thanks for this clarification, Theo. What would be the difference between these basic SSL certificates and those offered freely by, say, Let's Encrypt? (I'm just trying to get a sense of what forms of identity validation are used besides automated WHOIS/DNS checks here, and to understand whether or not other identity checks might be economical for the Digital Certificate Authority. Thanks.)<br></div><div><br></div><div>- Ayden</div><div class="protonmail_signature_block"><div><br></div></div><blockquote type="cite" class="protonmail_quote"><div>-------- Original Message --------<br></div><div>Subject: Re: [gnso-rds-pdp-wg] Use case for WHOIS/RDP<br></div><div>Local Time: August 15, 2016 9:00 PM<br></div><div>UTC Time: August 15, 2016 8:00 PM<br></div><div>From: gtheo@xs4all.nl<br></div><div>To: icann@ferdeline.com,Geoffrey_Noakes@symantec.com<br></div><div>gnso-rds-pdp-wg@icann.org<br></div><div><br></div><div><br></div><p>Hi Ayden, <br></p><p>These types of SSL certificates are pretty cheap and the
verification is pretty simple. Can be through a verification by
email or a code in the name servers, as long you can prove control
over the domain name.<br></p><p>The Extended Validation SSL certificates require way more
verification. These are the ones you usually see for web shops and
have this "green" bar in the web browser. <br></p><p>Best regards, <br></p><p>Theo Geurts<br></p><p><br></p><p><br></p><div><br></div><div class="moz-cite-prefix">On 15-8-2016 20:16, Ayden Férdeline
wrote:<br></div><blockquote type="cite"><div>If I understand this use case correctly, when an SSL
certificate is purchased, your system is sending an automated
message to the registrant or the technical contact's email
address as listed in WHOIS records. If the recipient of this
email clicks a URL, it validates the certificate?<br></div><div><br></div><div>If this is the case, I would like to understand how
commonplace this practice is. Are these emails only sent once,
when the certificate is initially purchased? I cannot imagine a
significant volume of these certificates are purchased on a
daily basis, and I struggle to believe that there could be more
than, say, 200 such certification bodies globally. If my
assumptions are correct, are we talking, here, about a use case
applicable to only a handful of businesses worldwide? Businesses
selling these certificates for large volumes of money?<br></div><div><br></div><div>The other issue I see is that there is very little
verification of information in WHOIS as it stands today. To rely
on the email addresses stored in WHOIS to authenticate a
certificate strikes me as flawed. Would it not be more
appropriate for the Certification Authority to visit the domain
name in question, call the phone number listed on their website,
and to clarify with the contact that claims to have purchased
your service that they have purchased your service? If the
website does not list even the number for a switchboard, perhaps
that should raise red flags?<br></div><div><br></div><div class="protonmail_signature_block"><div>- Ayden <br></div><div><br></div></div><blockquote type="cite" class="protonmail_quote"><div>-------- Original Message --------<br></div><div>Subject: [gnso-rds-pdp-wg] Use case for WHOIS/RDP<br></div><div>Local Time: August 15, 2016 6:40 PM<br></div><div>UTC Time: August 15, 2016 5:40 PM<br></div><div>From: <a class="moz-txt-link-abbreviated" href="mailto:Geoffrey_Noakes@symantec.com">Geoffrey_Noakes@symantec.com</a><br></div><div>To: <a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br></div><div><br></div><div><br></div><div class="WordSection1"><p class="MsoNormal">I’ve attached a use case for WHOIS/RDP.<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">Thanks…<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">Geoff<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"> </span><br></p><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"> </span><br></p><p class="MsoNormal"><br></p><div><b>From:</b> Lisa Phifer [<a class="moz-txt-link-freetext" href="mailto:lisa@corecom.com">mailto:lisa@corecom.com</a>] <br></div><div><b>Sent:</b> Monday, August 15, 2016 10:37 AM<br></div><div><b>To:</b> Geoffrey Noakes
<a class="moz-txt-link-rfc2396E" href="mailto:Geoffrey_Noakes@symantec.com"><Geoffrey_Noakes@symantec.com></a><br></div><div><b>Subject:</b> RE: Use Case<br></div><p><br></p><p class="MsoNormal"> <br></p><p class="MsoNormal"><br></p><div>Hi Geoff, it's <<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>><br></div><div><br></div><div>For further info, see mailing list archives: <a rel="noreferrer" href="http://mm.icann.org/pipermail/gnso-rds-pdp-wg/">
http://mm.icann.org/pipermail/gnso-rds-pdp-wg/</a> <br></div><div><br></div><div>As a WG member, you are on that mailing list, so if
you're not currently receiving email from that list, please
let me or the GNSO secretariat
<a href="mailto:gnso-secs@icann.org">gnso-secs@icann.org</a>
know.<br></div><div><br></div><div>Thanks again<br></div><div>Lisa<br></div><div><br></div><div><br></div><div>At 11:19 AM 8/15/2016, Geoffrey Noakes wrote:<br></div><div><span style="font-size:12pt" class="size"></span><br></div><p><br></p><p class="MsoNormal" style="margin-bottom:12.0pt"><br></p><div>Lisa, what is the “WG email list” email address?<br></div><div><br></div><div><b>From:</b> Lisa Phifer [<a href="mailto:lisa@corecom.com"> mailto:lisa@corecom.com</a>]
<br></div><div><b>Sent:</b> Monday, August 15, 2016 10:17 AM<br></div><div><b>To:</b> Geoffrey Noakes <<a href="mailto:Geoffrey_Noakes@symantec.com">Geoffrey_Noakes@symantec.com</a>><br></div><div><b>Subject:</b> RE: Use Case<br></div><div><br></div><div>Thanks Geoff and welcome back. I hope you had an
excellent vacation.<br></div><div><br></div><div>I will upload your case to the WG's table of example use
cases and see that the case is included on the 23 August
call agenda.<br></div><div><br></div><div>In addition, it is best if you would also email this
example use case directly to the WG email list so that any
comments that may be provided on the mailing list in advance
of the call will be sent to your attention.<br></div><div><br></div><div>Best, Lisa<br></div><div><br></div><div><br></div><div>At 11:11 AM 8/15/2016, you wrote:<br></div><p><br></p><p class="MsoNormal" style="margin-left:.5in">+Lisa (we had a
side conversation about this), plus some Symantec employees
who are involved in this
<br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">Chuck, I am just
back from a week of PTO. I’ve attached a markup of a
document originally authored by Scott Hollenbeck of
VeriSign, which is essentially the use case for a CA’s use
of WHOIS.
<br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">I would prefer
the August 23 date – I am on jury duty the week of August
29-September 2.
<br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">Thanks… <br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">Geoff <br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">From: Gomes,
Chuck [ <a href="mailto:cgomes@verisign.com">
mailto:cgomes@verisign.com</a>] <br></p><p class="MsoNormal" style="margin-left:.5in">Sent: Monday,
August 15, 2016 9:53 AM
<br></p><p class="MsoNormal" style="margin-left:.5in">To: Geoffrey
Noakes <<a href="mailto:Geoffrey_Noakes@symantec.com">
Geoffrey_Noakes@symantec.com</a>>
<br></p><p class="MsoNormal" style="margin-left:.5in">Cc:
RDS-Leaders-List (<a href="mailto:gnso-next-gen-rds-lead@icann.org">
gnso-next-gen-rds-lead@icann.org</a>) <<a href="mailto:gnso-next-gen-rds-lead@icann.org">
gnso-next-gen-rds-lead@icann.org</a>>
<br></p><p class="MsoNormal" style="margin-left:.5in">Subject: Use
Case <br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">Geoff, <br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">You volunteered
to prepare a use case for Certificate Authorities. We hope
to discuss that use case in the WG meeting on either August
23 or August 30? Which date would work better for you? In
either case, we would need the use case to be submitted to
the WG list 24 hours in advance. <br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">Hope you are
having a good vacation.
<br></p><p class="MsoNormal" style="margin-left:.5in"><br></p><p class="MsoNormal" style="margin-left:.5in">Chuck <br></p><p class="MsoNormal"> <br></p></div></blockquote><div><br></div><div><br></div><div><br></div><pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a rel="noreferrer" class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br></pre></blockquote></blockquote><div><br></div>