Thank you very much Nick for this analysis and the time past on our request.
You will find below additional information. The publication of the updated CP / CPS will be immediate, as soon as you confirm that the level of detail is sufficient for you. Thank you in advance for your help and your reply. - Afnic control For each TLS/SSL certificate request, controls through “Whois” websites are systematically performed by RA operator with a screen-shot add to validation proofs. For French websites, as recommended by the "RGS" French standard, the operator performs an additional control through the AFNIC website, that why we mentioned explicitly this website. - Wildcard Domain Validation Indeed, the process is not formally described in the CP on this subject. An automatic process is implemented, when ordering a wildcard SSL certificate, to verify that the requested domain name is made up as "*.domain.tld". To consolidate this check, TLDs validated by ICANN are everyday automatically retrieved through the list on the https://publicsuffix.org website. In addition, the verification of the domain name owner performed by the RA will in all cases lead to a rejection of the application as it is impossible to identify the owner of a domain name of type "*.tld". Applications with an invalid TLD or non-domain (E.g. *.co.uk) will therefore be systematically rejected. - High Risk Our CP/CPS have been updated with a chapter named “3.2.6 Verification of Certain Information Sources” which integrate the following description of our practices about this: “High risk status The CA develops, maintains, and implements documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval, as reasonably necessary to ensure that such requests are properly verified under these Requirements. In particular, the RA is carried out controls with databases of domain names that are suspected to be used for phishing activities (sources related to “APWG” and “Phishing initiative”) and with CA’s internal databases of revoked certificates for compromising reason or request of certificates which are suspected to be used for phishing activities.” - Contact Terms and conditions (chapter 20) indicate the email address cont...@certigna.fr for every request. This information will be added to CP/CPS at chapter 1.6.2. Terms and conditions (chapter 21) indicate that a form is available on Certigna website for reporting a malicious and dangerous certificate. Other requests can be performed through this form. This information will be added to CP/CPS at chapter 2.2.4. Terms and conditions: http://cgu.certigna.fr/en/CGU_CERTIGNA_SERVICES_CA.pdf CP: http://politique.certigna.fr/en/PCcertignaservicesca.pdf Form: https://www.certigna.fr/contact.xhtml Thank you in advance for your help and your reply. Best regards _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
