Frank Hecker <[EMAIL PROTECTED]> writes:

> Verification is done by sending an email to either the domain contact
> address (as supplied by the customer and presumably verified against
> the whois database) or to a [EMAIL PROTECTED] address. I chose
> the latter option.

I looked at InstantSSL's verification process recently. They even
propose some addresses which are not mandatory role accounts
(e.g. sysadmin). So if you can get one of these localpart from your
mail provider, you will be able to get a valid cert for the domain as

Some comments on
(if these issues have been discussed already, pointers would be

It is obvious that a domain control cert has a different level of
trust than a cert where the organization has been verified using real
world methods. The draft does not distinguish between these, which
will mean that the latter will offer no benefits but will be more
expensive. A related issue is that a cert for with
O=PayPal Inc. is acceptable according to the draft.

Domain control is a tricky thing. Obtaining control over a domain for
a short time is probably not too difficult and the time could be
enough to complete the certificate verification process. To avoid this
it would be possible to require domain control for a period of, say,
five business days. I don't know if any CA has implemented something
like that.

mozilla-crypto mailing list

Reply via email to