> On 19 May 2017, at 10:24, Gervase Markham via dev-security-policy > <[email protected]> wrote: > > On 18/05/17 23:40, Nick Lamb wrote: >> Mmmm. I believe only 3.2.2.4 is acceptable to Mozilla, am I wrong >> here? Judging from self-assessment document, TrustCor's actual >> practices are all intended to be 3.2.2.4 compliant (I will examine in >> more detail later) but the language here suggests it might be >> possible for applicants to successfully validate for DV by some other >> means not listed in 3.2.2.4, which (again unless I'm mistaken) >> Mozilla considers always to be mis-issuance. > > As of 21st July 2017, yes :-) The language should be clear that only > 3.2.2.4-conforming methods are allowed, and each documented method > should say which subsection of 3.2.2.4 it is complying with.
The BR self assessment document (as well as the CPS) does indeed stipulate which of the 3.2.2.4 subsections are allowed in validation of a DV certificate. No methods outside of 3.2.2.4 are permitted. The WHOIS method mentioned here is allowed via BR 3.2.2.4.1. Note that not all of the allowed methods from the 3.2.2.4 subsections are actually used by TrustCor. It is possible that the self-assessment summary might lead to the (incorrect) conclusion that methods other than 3.2.2.4 could be successful, but the TrustCor documents make clear that only 3.2.2.4 methods are allowed With respect to the particular clause referring to WHOIS, from the current CPS: "3.2.2.4.1 Validating the Applicant as a Domain Contact TrustCor will use the WHOIS or RDAP protocols to gain the Domain Registration document for the domain(s) being requested for certification. The email address, name, physical address present in the WHOIS record must match those details submitted as part of the application." Regards, Neil Dunbar CA Administrator, TrustCor Systems, S. de R.L.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
