I was reading a blog entry at https://blog.torproject.org/blog/life-without-ca where the author mentioned in a comment: "When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided." As far as I remember the EV guidelines, this should not be possible. I think we need to find out if this is really the case, which CA was involved, and somehow try to make sure this cannot happen again.
(In reply to comment #0) > > "When I tried to buy an EV cert for torproject.org, the entire check consisted > of sending an email to an address I provided." Could the author of that statement please show us the received EV certificate, so we can know the issuer CA? It appears https://torproject.org is not using an EV cert currently.
I have sent email to email@example.com requesting further information about this.
I have exchanged email with the appropriate person at The Tor Project. The quote in the blog response is: "When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided." An interpretation of this quote could be that an EV cert had been issued without proper verification according to the EV guidelines. However, that is not actually what happened. What actually happened is the customer decided not to proceed with their EV cert request for several reasons, of their own choosing. Included in those reasons was that the customer did not like having to prove their own personal identity, believing that it had nothing to do with Tor as a company itself. The request did not proceed to the point where the CA would do the verification of the existence and identity of the organization.