Frank Hecker <[EMAIL PROTECTED]> writes: > Verification is done by sending an email to either the domain contact > address (as supplied by the customer and presumably verified against > the whois database) or to a [EMAIL PROTECTED] address. I chose > the latter option.
I looked at InstantSSL's verification process recently. They even propose some addresses which are not mandatory role accounts (e.g. sysadmin). So if you can get one of these localpart from your mail provider, you will be able to get a valid cert for the domain as well. Some comments on http://www.hecker.org/mozilla/ca-certificate-policy (if these issues have been discussed already, pointers would be appreciated): It is obvious that a domain control cert has a different level of trust than a cert where the organization has been verified using real world methods. The draft does not distinguish between these, which will mean that the latter will offer no benefits but will be more expensive. A related issue is that a cert for www.pay-pal.com with O=PayPal Inc. is acceptable according to the draft. Domain control is a tricky thing. Obtaining control over a domain for a short time is probably not too difficult and the time could be enough to complete the certificate verification process. To avoid this it would be possible to require domain control for a period of, say, five business days. I don't know if any CA has implemented something like that. Hendrik _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto