[cabf_validation] Domain Validation Requirement of Mozilla CA Inclusion Policy

Ben Wilson ben.wilson at digicert.com
Thu Jul 30 10:02:56 MST 2015


On today's call I mentioned that the Mozilla CA Inclusion Policy had
something to say about method 1 - "Confirming the Applicant as the Domain
Name Registrant directly with the Domain Name Registrar through a Reliable
Method of Communication, for example using information provided through
WHOIS"

 

Section 7 of the Mozilla CA Inclusion Policy states: "for a certificate to
be used for SSL-enabled servers, the CA takes reasonable measures to verify
that the entity submitting the certificate signing request has registered
the domain(s) referenced in the certificate or has been authorized by the
domain registrant to act on the registrant's behalf;"
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/inclusion/ 

 

I don't have any objection to the current wording of method 1, but in my
opinion, a simple WHOIS lookup, without more, doesn't establish that the
entity submitting the CSR is the same entity that registered or is
authorized to use the FQDN because anyone can submit a CSR and claim to be
the entity listed in WHOIS.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150730/85269260/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150730/85269260/attachment-0001.bin 


More information about the Validation mailing list