Just to be clear... This is the wording copied as-is from the wiki page.
I have not proposed any changes yet -- I'm looking for your input on how
to update this wiki page, and I appreciate the input you all have
provided so far.
Thanks,
Kathleen
On 3/22/15 4:18 PM, Kathleen Wilson wrote:
After reading this:
https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html
I'm thinking we need to update our wiki page:
https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs
~~~
For domain-validated SSL certificates, many CAs use an email
challenge-response mechanism to verify that the SSL certificate
subscriber owns/controls the domain to be included in the certificate.
Some CAs allow applicants to select an address from a predetermined list
to be used for this verification.
Offering too many options for the email address prefix increases the
risk of issuing a certificate to a subscriber who does not own/control
the domain. Therefore, the list of email address prefixes should be
limited.
Mozilla's recommendation is to limit the set of verification addresses
to the following.
admin@domain
administrator@domain
webmaster@domain
hostmaster@domain
postmaster@domain
Plus any address listed in the technical or administrative contact
field of the domain's WHOIS record, regardless of the addresses' domains.
~~~
What do you all think?
Kathleen
(Note this is also in Baseline Requirements section 11.1.1)
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
