Changes

Section 2.2 of In accordance with [httphttps://www.mozilla.org/projectsen-US/about/governance/policies/security-group/certs/policy/ #22-validation-practices section 2.2 of Mozilla's Root Store Policy] states: "For , all domains in a certificate capable of being used for SSL-enabled servers, the CA must ensure that the applicant has registered all domain(s) referenced in the certificate or has been authorized by the domain registrant to act on their behalf. This TLS must be done verified using one or more of the methods documented in section 3.2.2.4 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements]. The CA's CP/practices documentation (e.g. its CPS ) must clearly specify and detail the procedure(s) that the CA employs, and each documented procedure should state including which subsection of 3.2.2.4 it is complying with. CAs are not permitted to use 3.2.2.5 (4) ("any other method") to fulfill the requirements of method 3.2.2.4.8 (IP Address)."

The CA's public documentation It also needs to provide sufficient information describing the steps taken by the CA to confirm that the certificate subscriber applicant owns/controls the domain name names to be included in the certificate. For instance, if a challenge-response type of procedure is used, then there needs to must be a brief description of the process. If public resources are used, then there should must be a description of which public resources are used, what data is retrieved from public resources, and how that data is used to verify that the certificate subscriber applicant owns/controls the domain namenames.

It is '''not''' sufficient to simply reference section 3.2.2.4 of the [https://cabforum.org/baseline-requirements-documents/ CA/Brower Forum's Baseline Requirements (BR)]. The BRs list several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing a subsection within section 3.2.2.4 of the BRs does not specify which of those options what the CA usesdoes, and is insufficient for describing how the CA conforms to the BRs. Section 2.3 of the BRs says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes '''in detail''' how the CA implements the latest version of these Requirements. The CA SHALL indicate conformance with this requirement by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the document."

* The A CPS should must state what the CA actually does, not what it could do. Such , such as which of the allowed domain validation methods the CA uses.* The following validation methods are prohibited: BR subsections 3.2.2.4.1, BR 3.2.2.4.3, BR 3.2.2.4.5, BR 3.2.2.4.6, BR 3.2.2.4.9, BR 3.2.2.4.1110, and BR 3.2.2.5.4.* 11, and BR subsection 3.2.2.5.4.10 contains major vulnerabilities. If the CA uses this method, then the CA should describe how they are mitigating those vulnerabilities. If not using this method, the CPS should say so.

===== WHOIS and DNS =====

[http://en.wikipedia.org/wiki/WHOIS WHOIS] is and DNS are used by some CAs as a source of information for checking ownership/control of the domain name for TLS certificate applications. WHOIS and DNS information may be subject to compromise(e.g. [https://en.wikipedia.org/wiki/BGP_hijacking BGP hijacking]). CAs are responsible for implementing appropriate methods to reduce the risk of compromisethat a domain validation method has been compromised. For example, a CA could use direct command line, HTTPS to the original registrar, DNSSEC, or correlating correlate multiple sourcesof WHOIS and DNS information. The CA should include information in its CP/CPS about disclose the method methods that it uses to validate ensure the integrity of the data.