Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Investigate which CA will issue EV certificates with email verification only

RESOLVED INVALID

Status

NSS
CA Certificate Root Program
RESOLVED INVALID
7 years ago
3 months ago

People

(Reporter: Heikki Toivonen (remove -bugzilla when emailing directly), Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

I was reading a blog entry at https://blog.torproject.org/blog/life-without-ca where the author mentioned in a comment:

"When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided."

As far as I remember the EV guidelines, this should not be possible.

I think we need to find out if this is really the case, which CA was involved, and somehow try to make sure this cannot happen again.

Comment 1

7 years ago
(In reply to comment #0)
> 
> "When I tried to buy an EV cert for torproject.org, the entire check consisted
> of sending an email to an address I provided."

Could the author of that statement please show us the received EV certificate, so we can know the issuer CA?

It appears https://torproject.org is not using an EV cert currently.
Assignee: nobody → kathleen95014
Component: CA Certificates → CA Certificates
Product: NSS → mozilla.org
QA Contact: root-certs → ca-certificates
Version: unspecified → other
(Assignee)

Comment 2

7 years ago
I have sent email to tor-webmaster@torproject.org requesting further information about this.
Status: NEW → ASSIGNED
(Assignee)

Comment 3

7 years ago
I have exchanged email with the appropriate person at The Tor Project.

The quote in the blog response is: "When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided." 

An interpretation of this quote could be that an EV cert had been issued without proper verification according to the EV guidelines. However, that is not actually what happened.

What actually happened is the customer decided not to proceed with their EV cert request for several reasons, of their own choosing. Included in those reasons was that the customer did not like having to prove their own personal identity, believing that it had nothing to do with Tor as a company itself. The request did not proceed to the point where the CA would do the verification of the existence and identity of the organization.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID

Updated

3 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.