On Mon, March 23, 2015 8:36 am, Kathleen Wilson wrote: > Just to be clear... This is the wording copied as-is from the wiki page. > I have not proposed any changes yet -- I'm looking for your input on how > to update this wiki page, and I appreciate the input you all have > provided so far. > > Thanks, > Kathleen
Right; thanks for pointing that out, as I missed it in the first pass :) I think the concern would be that it still (presently) reads as descriptive best practice, rather than proscriptive requirement; that is "Mozilla's recommendation" seems far less forceful than the reality that it's part of the Baseline Requirements. It also omits the "registrant" bits of the WHOIS record, which is valid under 11.1.1 (and I'm not aware of a reason to restrict it). There's a separate effort of evangelism; the reality is that this is the second occurrence in as many weeks (live.fi was a similar case). The Baseline Requirements have normalized this set of addresses to be protected since 2012. The CA/B Forum Validation WG is working to provide similar whitelists (e.g. to restrict the set of file paths on a Web Server that may be used to induce issuance) However, for this FAQ, my main advice would be to emphasize that this isn't a Mozilla recommendation, but a Baseline Requirement, and that non-compliance of a root (*or* it's subordinates) is reason for action. There's still plenty of misleading info on resellers' pages, for example: - http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html - http://www.webfusion.co.uk/support/answers/how-can-i-purchase-an-ssl-certificate-633/ - http://www.domainpurpose.com/ssl-faqs.htm#faq11 - https://www.secure128.com/support-resources/frequently-asked-questions.aspx#q17 (see "What if the WHOIS info for my domain is not right?) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
