Confirmed users, Administrators
5,526
edits
CA/Required or Recommended Practices: Difference between revisions
→Verifying Domain Name Ownership
| Line 34: | Line 34: | ||
Section 7 of the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA Certificate Policy] states: “for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" | Section 7 of the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA Certificate Policy] states: “for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" | ||
[http://en.wikipedia.org/wiki/WHOIS WHOIS] | [http://en.wikipedia.org/wiki/WHOIS WHOIS] is used by some CAs as a source of information for checking | ||
ownership/control of the domain name for SSL certificate applications. WHOIS information may be subject to compromise. CAs are responsible for implementing appropriate methods to reduce the risk of compromise. For example, direct command line, HTTPS to the original registrar, or correlating multiple sources. The CA should include information in their CP/CPS about the method that they use to validate the integrity of the data. | ownership/control of the domain name for SSL certificate applications. WHOIS information may be subject to compromise. CAs are responsible for implementing appropriate methods to reduce the risk of compromise. For example, direct command line, HTTPS to the original registrar, or correlating multiple sources. The CA should include information in their CP/CPS about the method that they use to validate the integrity of the data. | ||
Many CAs use an email challenge-response mechanism to verify that the SSL certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification. See [[CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs|Mozilla's restrictions on the set of verification addresses that may be used.]] | |||
=== Verifying Email Address Control === | === Verifying Email Address Control === | ||