Last Comment Bug 587355 - Investigate which CA will issue EV certificates with email verification only
: Investigate which CA will issue EV certificates with email verification only
Status: RESOLVED INVALID
:
Product: mozilla.org
Classification: Other
Component: CA Certificates (show other bugs)
: other
: All All
-- normal (vote)
: ---
Assigned To: Kathleen Wilson
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-14 11:33 PDT by Heikki Toivonen (remove -bugzilla when emailing directly)
Modified: 2010-09-08 12:31 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description User image Heikki Toivonen (remove -bugzilla when emailing directly) 2010-08-14 11:33:25 PDT
I was reading a blog entry at https://blog.torproject.org/blog/life-without-ca where the author mentioned in a comment:

"When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided."

As far as I remember the EV guidelines, this should not be possible.

I think we need to find out if this is really the case, which CA was involved, and somehow try to make sure this cannot happen again.
Comment 1 User image Kai Engert (:kaie) 2010-08-14 13:44:45 PDT
(In reply to comment #0)
> 
> "When I tried to buy an EV cert for torproject.org, the entire check consisted
> of sending an email to an address I provided."

Could the author of that statement please show us the received EV certificate, so we can know the issuer CA?

It appears https://torproject.org is not using an EV cert currently.
Comment 2 User image Kathleen Wilson 2010-09-07 15:29:28 PDT
I have sent email to tor-webmaster@torproject.org requesting further information about this.
Comment 3 User image Kathleen Wilson 2010-09-08 12:31:37 PDT
I have exchanged email with the appropriate person at The Tor Project.

The quote in the blog response is: "When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided." 

An interpretation of this quote could be that an EV cert had been issued without proper verification according to the EV guidelines. However, that is not actually what happened.

What actually happened is the customer decided not to proceed with their EV cert request for several reasons, of their own choosing. Included in those reasons was that the customer did not like having to prove their own personal identity, believing that it had nothing to do with Tor as a company itself. The request did not proceed to the point where the CA would do the verification of the existence and identity of the organization.

Note You need to log in before you can comment on or make changes to this bug.