The last CA Communication laid down our policy of only permitting the 10 Blessed Methods of domain validation. A CA Communication is an official vehicle for Mozilla Policy so this is now policy, but it's not reflected in the main policy doc. I was planning to wait until the latest version of the BRs had all 10 methods in, but that ballot (ballot 190) seems to be taking a bit of time to draft. So perhaps it would be good to add language to indicate direction of travel.
This would involve replacing section 2.2.3 of the policy with: "for a certificate capable of being used for SSL-enabled servers, the CA must ensure that the applicant has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on their behalf. This must be done using one or more of the 10 methods documented in section 3.2.2.4 of version 1.4.1 (and not any other version) of the CA/Browser Forum Baseline Requirements. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs, and each documented procedure should state which subsection of 3.2.2.4 it is complying with. Even if the current version of the BRs contains a method 3.2.2.4.11, CAs are not permitted to use this method." Once the BRs are back to the way they should be, a few edits to this para should normalize the situation. There is a deadline associated with this change of July 21st 2017; traditionally, we communicate deadlines for particular requirements out-of-band. This is: https://github.com/mozilla/pkipolicy/issues/77 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
