Confirm, administrator
5,526
edits
Changes
→Verifying Email Address Control
The recommended way to satisfy this requirement is to perform a challenge-response type of procedure in which the CA sends email to the email address to be included in the certificate, and the applicant must respond in a way that demonstrates that they have control over that email address. For instance, the CA may send an email to the address to be included in the certificate, containing secret unpredictable information, giving the applicant a limited time to use the information within.
=== Verifying Identity of Code Signing Certificate Subscriber ===
We rely on public documentation and audits of those documented processes to ascertain that the requirements of section 7 of the Mozilla CA Certificate Policy are met.
Section 7 of the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA Certificate Policy] states: “for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf; ”
The CA's public documentation needs to provide sufficient information describing how it is verified that the entity submitting the certificate signing request is the same entity referenced in the certificate, or has been authorized be the entity referenced in the certificate.
It is important that sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).
If public resources are used, then there should be a description of the public resources that are used, what data is retrieved from public resources, and how that data is used for verification of the entity referenced in the certificate.
I addition to confirming the data to be included in the certificate by comparing it against a third party directory, there should also be a method for contacting the organization through an independent means to confirm that the certificate subscriber is authorized by the organization to request that certificate.
=== DNS names go in SAN ===
