Confirm, administrator
5,526
edits
Changes
m
→Email Address Prefixes for DV Certs
* '''DRAFT''' Re-Write under discussion in mozilla.dev.security.policy
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] requires CAs to conform to the [[CA:BaselineRequirements|Baseline Requirements]] (BRs) in the issuance and management of publicly trusted SSL certificates. This includes the BR restrictions on the use of email as a way of validating that the certificate subscriber owns or controls the domain name to be included in the certificate. CAs are expected to conform to BR Section 11.1.1, which restricts the email addresses that may be used to authenticate the subscriber to information listed in the "registrant", "technical", or "administrative" WHOIS records and a selected whitelist of local addresses, which includes are limited to local-parts of "admin", "administrator", "webmaster", "hostmaster", and "postmaster".
A CA that authorizes certificate subscribers by contacting any other email addresses is deemed to be non-compliant with Mozilla's CA Certificate Inclusion Policy and non-conforming to the Baseline Requirements, and may have action taken upon it as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Mozilla's CA Certificate Enforcement Policy]. CAs are also reminded that Mozilla's CA Certificate Policy and the Baseline Requirements extend to any certificates that are technically capable of issuing SSL certificates, and subordinate CAs that fail to follow these requirements reflect upon the issuing CA that certified it.
