<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 16, 2016 at 12:02 PM, Rob Golding <span dir="ltr"><<a href="mailto:rob.golding@astutium.com" target="_blank">rob.golding@astutium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> As to alternatives, your suggestions regarding using contact info on websites won't work in a vast number of cases,<br>
> because the certificate is often acquired before the website goes live<br>
<br>
</span>I have never known a CA issue an EV certificate without requiring that there be a website, with the correct (requestors) contact information on it (and that contact information matches a-n-other 3rd party system like the utility)<br>
<br>
Internet != Web of course (and we've organised plenty of certificates where there isn't and never is expected to be a website but the encryption is still necessary)<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline">GS: Agreed, then -- there are some cases where a website needs to be live, and many others where the website is not live first or no website is intended for the use (e.g., an email only use).</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> On top of that, there's no support for an assumption that websites will have contact info on them, in those cases (e.g.., renewal) where the site is live.<br>
<br>
</span>It's a legal requirement in some jurisdictions, and at least 2 CAs I've obtained certificates from check the sites at least at SSL order time (and as they expire does mean periodic rechecks)<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline">GS: That's consistent with my statement. Since it's only in some jurisdictions, it's nothing we could depend on as a general matter.</div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> I am unaware of any report that shows sales data related to SSL/TLS certs<br>
<br>
</span>Ironically, as the expiry date etc in an SSL Cert is "public", certificate holders face growing numbers of targeting phishing scams following the "fake renewal notice" methodology that has plagued domain Registrants for years (due to domain data being "public")<br>
<span class="im HOEnZb"><br>
Rob<br>
<br>
<br>
---<br>
This email has been checked for viruses by Avast antivirus software.<br>
<a href="https://www.avast.com/antivirus" rel="noreferrer" target="_blank">https://www.avast.com/<wbr>antivirus</a><br>
<br>
</span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br>
</div></div></blockquote></div><br></div></div>