Changes

[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] requires CAs to conform to the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements (BRs)] in the issuance and management of publicly trusted TLS server certificates. This includes the BR restrictions on the use of email as a way of validating that the certificate subscriber owns or controls the domain name to be included in the certificate. CAs are expected to conform to BR section 3.2.2.4, which restricts the allows email addresses that may be used to authenticate the subscriber to information listed in the "registrantDomain Contact", defined as the "Domain Name Registrant, technical"contact, or "administrativecontact (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNSSOA record, or as obtained through direct contact with the Domain Name Registrar." WHOIS records (BR § 3.2.2.4.2) and ; a selected whitelist of constructed addresses, which are limited to local-parts of "admin", "administrator", "webmaster", "hostmaster", and "postmaster" followed by the "at" sign ("@") and the domain name in question (read BR § 3.2.2.4.4 for specifics); or using email addresses found in DNS (BR § 3.2.2.4.13 and BR § 3.2.2.4.14).

A CA that authorizes certificate subscribers by contacting any other email addresses is deemed to may be found non-compliant with Mozilla's Root Store Policy and a in violation of the Baseline Requirements, and may have action taken against it. CAs are also reminded that Mozilla's Root Store Policy and the Baseline Requirements extend to any CA certificates that are technically capable of issuing TLS server certificates, and subordinate CAs that fail to follow these requirements put the root CA in jeopardy of removal from Mozilla's root store.