Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/Comodo Misissuance Response: Difference between revisions
→Changes to CA Policy
| Line 41: | Line 41: | ||
* Require that the domain control checks are always done by the CA, never the RA. | * Require that the domain control checks are always done by the CA, never the RA. | ||
* Require DNS Name Constraints to a specified number of [http://publicsuffix.org/ Public Suffixes] to be put on any non-leaf certificate the CA issues which it does not control (e.g. subordinate CAs). | * Require DNS Name Constraints to a specified number of [http://publicsuffix.org/ Public Suffixes] to be put on any non-leaf certificate the CA issues which it does not control (e.g. subordinate CAs). | ||
* Require a current-cert-is-not-EV check for all non-EV issuances (open a connection to port 443 on the target domain(s), or www. for wildcard certs, and flag for manual review if the current cert is EV) | |||
* Require the use of high-value target domain lists to flag requests, pre-issuance, for manual review. | |||
===Changes to NSS=== | ===Changes to NSS=== | ||