CA/Required or Recommended Practices: Difference between revisions

Jump to navigation Jump to search

CA/Required or Recommended Practices (view source)

Revision as of 23:50, 21 October 2022

42 bytes added ,  21 October 2022
m
→‎Verifying Email Address Control: Minor
Line 105: Line 105:
We rely on public documentation and audits of those documented processes to ascertain that the requirements of the Mozilla Root Store Policy are met.
We rely on public documentation and audits of those documented processes to ascertain that the requirements of the Mozilla Root Store Policy are met.


Section 2.2 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla's Root Store Policy] states: "For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification."
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#22-validation-practices Section 2.2 of Mozilla's Root Store Policy] states: "For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification."


The CA's public documentation needs to provide sufficient information describing how the email address is verified to be owned/controlled by the certificate subscriber. For instance, if a challenge-response type of procedure is used, then there needs to be a brief description of the process. If public resources are used, then there should be a description of which public resources are used, what data is retrieved from public resources, and how that data is used to verify that the certificate subscriber owns/controls the email address.
The CA's public documentation needs to provide sufficient information describing how the email address is verified to be owned/controlled by the certificate subscriber. For instance, if a challenge-response type of procedure is used, then there must be a description of the process. If public resources are used, then there must be a description of which public resources are used, what data is retrieved from public resources, and how that data is used to verify that the certificate subscriber owns/controls the email address.


The recommended way to satisfy this requirement is to perform a challenge-response type of procedure in which the CA sends email to the email address to be included in the certificate, and the applicant must respond in a way that demonstrates that they have control over that email address. For instance, the CA may send an email to the address to be included in the certificate, containing secret unpredictable information, giving the applicant a limited time to use the information within.
The recommended way to satisfy this requirement is to perform a challenge-response type of procedure in which the CA sends email to the email address to be included in the certificate, and the applicant must respond in a way that demonstrates that they have control over that email address. For instance, the CA may send an email to the address to be included in the certificate, containing secret unpredictable information, giving the applicant a limited time to use the information within.
Bwilson
Confirmed users
569

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1244293"

Navigation menu