On 3/23/15 8:36 AM, Kathleen Wilson wrote:
Just to be clear... This is the wording copied as-is from the wiki page.
I have not proposed any changes yet -- I'm looking for your input on how
to update this wiki page, and I appreciate the input you all have
provided so far.
Thanks,
Kathleen
On 3/22/15 4:18 PM, Kathleen Wilson wrote:
After reading this:
https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html
I'm thinking we need to update our wiki page:
https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs
Thanks to all of you who contributed to this discussion, and thanks to
Ryan for providing the text that the following proposal is based on.
I did not see a lot of support to remove admin@ and administrator@, so
the proposal is to simply point to the BRs as follows.
https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs
~~~Proposed Text~~~
Mozilla's CA Certificate Inclusion Policy requires CAs to conform to the
Baseline Requirements (BRs) in the issuance and management of publicly
trusted SSL certificates. This includes the BR restrictions on the use
of email as a way of validating that the certificate subscriber owns or
controls the domain name to be included in the certificate. CAs are
expected to conform to BR Section 11.1.1, which restricts the email
addresses that may be used to authenticate the subscriber to information
listed in the "registrant", "technical", or "administrative" WHOIS
records and a selected whitelist of local addresses, which includes
local-parts of "admin", "administrator", "webmaster", "hostmaster", and
"postmaster".
A CA that authorizes certificate subscribers by contacting any other
email addresses is deemed to be non-compliant with Mozilla's CA
Certificate Inclusion Policy and non-conforming to the Baseline
Requirements, and may have action taken upon it as described in
Mozilla's CA Certificate Enforcement Policy. CAs are also reminded that
Mozilla's CA Certificate Policy and the Baseline Requirements extend to
any certificates that are technically capable of issuing SSL
certificates, and subordinate CAs that fail to follow these requirements
reflect upon the issuing CA that certified it.
~~~~
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
