Confirm, administrator
5,526
edits
Changes
→Verifying Domain Name Ownership
Many CAs use an email challenge-response mechanism to verify that the SSL certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification. See [[CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs|Mozilla's restrictions on the set of verification addresses that may be used.]]
Since we rely on public documentation and audits of those documented processes to ascertain that the CA takes reasonable measures to verify that the certificate subscriber owns/controls the domain name to be included in the certificate, the CA's public documentation needs to provide sufficient information describing what data is retrieved from public resources (such as whois) and how that data is used to do the verification.
=== Verifying Email Address Control ===
