On Fri, Sep 26, 2014 at 02:42:05PM +0200, Certificates wrote: > I don't read the CP (specifically, s2.4) as confirming "that the Applicant > controls the Fully-Qualified Domain Name" (as per BR 1.1.9 s.9.2.1). > > KIR's answer: > > To get a SSL certificate client has to provide(CSP s.3.2):
That's presumably supposed to be "CPS", not "CSP" (I noted that error frequently throughout the documents themselves; you might want to get that corrected). > -agreement, > -order, > -document confirming rights to the domain . What valid forms can this document take? What steps are taken to verify or validate that information? > Identification and authentication includes (CSP s.3.2, 3.2.2, CP s.2.4): > > 1. verification of agreement (we check if the company exist, who sign > agreement, if it is entitled representative), > 2. verification of order (we check who sign order, if it is entitled > representative, if the data given in order are correct), > 3. verification whether the client has granted the right to the domain (we > check who is an owner of the domain); How is that ownership check performed? > 4. verification whether the client controls the domain (we ask to place > data indicated by KIR on server); > 5. identity of person authorised to represent client (we meet face to face > with that person). > > If it is still unclear in CSP we can make it more clarified. That would be appreciated. > > > Note that test cerificates have their own policy's distinguished > > > identifier (s 2.5 CP). > > > > Are you asking Mozilla to blacklist certificates marked with that OID > from > > being trusted? If not, the fact that they have such an identifier is > > irrelevant for the purposes of determining trustworthiness. > > > > I am not sure if Mozilla has implemented funcionality like blacklist for > > > certificates marked with OID. As we can see other CAs do not force their > > > subscriber to show their ID even during issuing non-test certificates. > We > > check subscribers identity face to face. > > That is not clear from the CPS. > > KIR's answer: > > When issuing test certificate, we check the points 1 -4 listed above, and > the validy of the renewed certifcate. That would be a good clarification to place in the CPS itself. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy