Closed Bug 587355 Opened 14 years ago Closed 14 years ago

Investigate which CA will issue EV certificates with email verification only

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: hjtoi-bugzilla, Assigned: kathleen.a.wilson)

Details

I was reading a blog entry at https://blog.torproject.org/blog/life-without-ca where the author mentioned in a comment:

"When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided."

As far as I remember the EV guidelines, this should not be possible.

I think we need to find out if this is really the case, which CA was involved, and somehow try to make sure this cannot happen again.
(In reply to comment #0)
> 
> "When I tried to buy an EV cert for torproject.org, the entire check consisted
> of sending an email to an address I provided."

Could the author of that statement please show us the received EV certificate, so we can know the issuer CA?

It appears https://torproject.org is not using an EV cert currently.
Assignee: nobody → kathleen95014
Product: NSS → mozilla.org
QA Contact: root-certs → ca-certificates
Version: unspecified → other
I have sent email to tor-webmaster@torproject.org requesting further information about this.
Status: NEW → ASSIGNED
I have exchanged email with the appropriate person at The Tor Project.

The quote in the blog response is: "When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided." 

An interpretation of this quote could be that an EV cert had been issued without proper verification according to the EV guidelines. However, that is not actually what happened.

What actually happened is the customer decided not to proceed with their EV cert request for several reasons, of their own choosing. Included in those reasons was that the customer did not like having to prove their own personal identity, believing that it had nothing to do with Tor as a company itself. The request did not proceed to the point where the CA would do the verification of the existence and identity of the organization.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.