On 12/2/15 11:13 AM, Peter Kurrasch wrote:
I don't so much have a problem with the change but I would like to know if this
is fairly common across other cert issuers?
Personally I'm of the opinion that email is inherently insecure which makes it
a bad mechanism to use in the course of trying to establish trust. However, my
concern at the moment is the use of privacy services to obscure the actual
owner/registrar of the domain. I see no reason to believe such services are any
more trustworthy than the email channel. In fact it seems to me that those
services are the weakest link in the chain.
The implication is that only method 1, below, should be employed. However, if
everyone else is also employing method 2 I don't want to single out SECOM
unfairly.
Copied from the Baseline Requirements (note #2 and #4)...
~
3.2.2.4. Authorization by Domain Name Registrant
For each Fully‐Qualified Domain Name listed in a Certificate, the CA
SHALL confirm that, as of the date the Certificate was issued, the
Applicant (or the Applicant’s Parent Company, Subsidiary Company, or
Affiliate, collectively referred to as “Applicant” for the purposes of
this section) either is the Domain Name Registrant or has control over
the FQDN by:
1. Confirming the Applicant as the Domain Name Registrant directly with
the Domain Name Registrar;
2. Communicating directly with the Domain Name Registrant using an
address, email, or telephone number provided by the Domain Name Registrar;
3. Communicating directly with the Domain Name Registrant using the
contact information listed in the WHOIS record’s “registrant”,
“technical”, or “administrative” field;
4. Communicating with the Domain’s administrator using an email address
created by pre‐pending ‘admin’, ‘administrator’, ‘webmaster’,
‘hostmaster’, or ‘postmaster’ in the local part, followed by the
at‐sign (“@”), followed by the Domain Name, which may be formed by
pruning zero or more components from the requested FQDN;
5. Relying upon a Domain Authorization Document;
6. Having the Applicant demonstrate practical control over the FQDN by
making an agreed‐upon change to information found on an online Web page
identified by a uniform resource identifier containing the FQDN; or
7. Using any other method of confirmation, provided that the CA
maintains documented evidence that the method of confirmation
establishes that the Applicant is the Domain Name Registrant or has
control over the FQDN to at least the same level of assurance as those
methods previously described.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
