CA/Forbidden or Problematic Practices: Difference between revisions

CA/Forbidden or Problematic Practices (view source)

Revision as of 19:42, 24 March 2015

209 bytes added , 24 March 2015

→‎Email Address Prefixes for DV Certs

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 16: / Line 16: @@
 === Email Address Prefixes for DV Certs ===
+* '''DRAFT''' Re-Write under discussion in mozilla.dev.security.policy
-For domain-validated SSL certificates, many CAs use an email challenge-response mechanism to verify that the SSL certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification.
+[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] requires CAs to conform to the [[CA:BaselineRequirements|Baseline Requirements]] (BRs) in the issuance and management of publicly trusted SSL certificates. This includes the BR restrictions on the use of email as a way of validating that the certificate subscriber owns or controls the domain name to be included in the certificate. CAs are expected to conform to BR Section 11.1.1, which restricts the email addresses that may be used to authenticate the subscriber to information listed in the "registrant", "technical", or "administrative" WHOIS records and a selected whitelist of local addresses, which includes local-parts of "admin", "administrator", "webmaster", "hostmaster", and "postmaster".
-Offering too many options for the email address prefix increases the risk of issuing a certificate to a subscriber who does not own/control the domain. Therefore, the list of email address prefixes should be limited.
+A CA that authorizes certificate subscribers by contacting any other email addresses is deemed to be non-compliant with Mozilla's CA Certificate Inclusion Policy and non-conforming to the Baseline Requirements, and may have action taken upon it as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Mozilla's CA Certificate Enforcement Policy]. CAs are also reminded that Mozilla's CA Certificate Policy and the Baseline Requirements extend to any certificates that are technically capable of issuing SSL certificates, and subordinate CAs that fail to follow these requirements reflect upon the issuing CA that certified it.
-Mozilla's recommendation is to limit the set of verification addresses to the following.
-* admin@domain
-* administrator@domain
-* webmaster@domain
-* hostmaster@domain
-* postmaster@domain
-* Plus any address listed in the technical or administrative contact field of the domain's WHOIS record, regardless of the addresses' domains.
-The list above is case-insensitive. However, when the email verification message is sent, it should be sent to the address with the same capitalization as specified by the certificate subscriber.  For example, a certificate subscriber requests that validation be sent to PostMaster@foo.com, and this is allowed because a case-insensitive comparison to the list of acceptable email addresses succeeds. The verification message will be sent to PostMaster@foo.com, with the capitalization that was specified by the certificate subscriber.
 === Delegation of Domain / Email validation to third parties ===