The last CA Communication laid down our policy of only permitting the 10
Blessed Methods of domain validation. A CA Communication is an official
vehicle for Mozilla Policy so this is now policy, but it's not reflected
in the main policy doc. I was planning to wait until the latest version
of the BRs had all 10 methods in, but that ballot (ballot 190) seems to
be taking a bit of time to draft. So perhaps it would be good to add
language to indicate direction of travel.

This would involve replacing section 2.2.3 of the policy with:

"for a certificate capable of being used for SSL-enabled servers, the CA
must ensure that the applicant has registered the domain(s) referenced
in the certificate or has been authorized by the domain registrant to
act on their behalf. This must be done using one or more of the 10
methods documented in section 3.2.2.4 of version 1.4.1 (and not any
other version) of the CA/Browser Forum Baseline Requirements. The CA's
CP/CPS must clearly specify the procedure(s) that the CA employs, and
each documented procedure should state which subsection of 3.2.2.4 it is
complying with. Even if the current version of the BRs contains a method
3.2.2.4.11, CAs are not permitted to use this method."

Once the BRs are back to the way they should be, a few edits to this
para should normalize the situation.

There is a deadline associated with this change of July 21st 2017;
traditionally, we communicate deadlines for particular requirements
out-of-band.

This is: https://github.com/mozilla/pkipolicy/issues/77

-------

This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates   
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to