> Could you explain more about obtaining it under someone else's name? There are many checks in place to prevent this.
Here's what I know, which is not conclusive but possibly persuasive, and as I say below, I've never seen someone call the checks effective: 1) In my experience obtaining regular certs, the identity verification looked ineffective (though I wasn't trying to fool anyone). 2) Regarding both EV and regular certs, I've read several times about ineffectiveness of the verification, and I've never seen someone say otherwise. 3) Finally, effective verification is hard and manually intensive; it's hard to believe it's economical or practical for the large volume of certs issued.
Organizationally validated certificates do not require a lot of paperwork or manual validation. The effectiveness of the verification is still a topic for discussion. However the last point is dubious at best, as CAs make >$30-40 per certificate and validation takes max 30 minutes spread out over a day or two (typically).
I will say there are very few maliciously issued EV certificates.
Thanks for responding. I get the sense that you have some expertise in this field? As I said above, I don't, so if you do please forgive any ignorance on my part:
> CAs make >$30-40 per certificate and validation takes max 30 minutes spread out over a day or two (typically).
$30-40 isn't much, and 30 minutes doesn't seem nearly sufficient to reliably verify someone's identity.
> I will say there are very few maliciously issued EV certificates.
How do we know? And is there a lower fraud rate for EV certs than for standard certs? (Probably there is little fraud in any set of business transactions -- otherwise nobody would participate -- but I don't think that's what you mean.)
It's actually not that long of a process once you read over the CPS's of a few CAs and the EV baseline.
> How do we know?
Ah, the golden question! Hopefully CT (certificate transparency) will sort this out within the next 3 years. My statement is an assumption but any high level fraud (e.g. Google/MSFT) is caught immediately (chrome pinning/reporting and internal CA logs, if you're not DigiNotar). I don't know about small companies though.
I don't think there's ever been a maliciously issued EV cert in the context of the ComodoHacker and other very public hacks. They typically have tighter internal controls, that I know (e.g. RAs have very limited EV issuance power) but I have no numbers. :(
You should note that EV implies DV validation, so to, without hacking, maliciously issue a certificate an attacker would probably settle for a DV cert.
Here's what I know, which is not conclusive but possibly persuasive, and as I say below, I've never seen someone call the checks effective: 1) In my experience obtaining regular certs, the identity verification looked ineffective (though I wasn't trying to fool anyone). 2) Regarding both EV and regular certs, I've read several times about ineffectiveness of the verification, and I've never seen someone say otherwise. 3) Finally, effective verification is hard and manually intensive; it's hard to believe it's economical or practical for the large volume of certs issued.