Changes

For domain[https://www.mozilla.org/en-US/about/governance/policies/security-validated group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] requires CAs to conform to the [[CA:BaselineRequirements|Baseline Requirements]] (BRs) in the issuance and management of publicly trusted SSL certificates, many CAs . This includes the BR restrictions on the use an of email challenge-response mechanism to verify as a way of validating that the SSL certificate subscriber owns/or controls the domain name to be included in the certificate. Some CAs allow applicants are expected to select an address from a predetermined list conform to BR Section 11.1.1, which restricts the email addresses that may be used for this verificationto authenticate the subscriber to information listed in the "registrant", "technical", or "administrative" WHOIS records and a selected whitelist of local addresses, which includes local-parts of "admin", "administrator", "webmaster", "hostmaster", and "postmaster".

Offering too many options for the A CA that authorizes certificate subscribers by contacting any other email address prefix increases the risk of issuing a certificate addresses is deemed to a subscriber who does not own/control the domain. Therefore, the list of email address prefixes should be limited. non-compliant with Mozilla's recommendation is CA Certificate Inclusion Policy and non-conforming to limit the set of verification addresses to the followingBaseline Requirements, and may have action taken upon it as described in [https://www.mozilla.  * admin@domain* administrator@domain* webmaster@domain* hostmaster@domain* postmaster@domain* Plus any address listed in the technical or administrative contact field of the domainorg/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Mozilla's WHOIS record, regardless of the addressesCA Certificate Enforcement Policy]. CAs are also reminded that Mozilla' domains. The list above is case-insensitive. However, when s CA Certificate Policy and the email verification message is sent, it should be sent Baseline Requirements extend to the address with the same capitalization as specified by the certificate subscriber. For example, a certificate subscriber requests any certificates that validation be sent to PostMaster@foo.comare technically capable of issuing SSL certificates, and this is allowed because a case-insensitive comparison subordinate CAs that fail to follow these requirements reflect upon the list of acceptable email addresses succeeds. The verification message will be sent to PostMaster@foo.com, with the capitalization issuing CA that was specified by the certificate subscribercertified it.