Eddy Nigg wrote:
I edited the Problematic Practices page and added https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties It might need some improvement. Frank, can you review? This will affect obviously only future inclusion requests and is not a resolution to the current issue and other CAs which might be affected.
I'm not totally happy with that language, but I'm supposed to be on vacation with my family and don't have time to rewrite it right now.
I will say however that as a general matter I think it is good CA practice to have standard procedures and associated IT systems for verifying domain ownership/control and email account ownership/control, and to have resellers either use the CA's own systems or use CA-approved equivalents. (For example, reseller A might use the CA's own instances of such systems, while reseller B might run the same software but on its own systems.)
One reason I say this is "good CA practice" as opposed to a mandatory requirement, is because of cases like enterprise PKIs where the enterprises might act as RAs and do verification based on their own internal systems (e.g., HR databases).
Frank -- Frank Hecker hec...@mozillafoundation.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
