Confirm, administrator
5,526
edits
Changes
→Verifying Domain Name Ownership
Section 7 of the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA Certificate Policy] states: “for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf"
The CA's public documentation needs to provide sufficient information describing the public resources that are used, what data is retrieved from public resources, and how that data is used to verify that the certificate subscriber owns/controls the domain name.
[http://en.wikipedia.org/wiki/WHOIS WHOIS] is used by some CAs as a source of information for checking
Many CAs use an email challenge-response mechanism to verify that the SSL certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification. See [[CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs|Mozilla's restrictions on the set of verification addresses that may be used.]]
=== Verifying Email Address Control ===
