On Thursday, November 23, 2017 at 4:03:27 AM UTC-7, michael.vonn...@bit.admin.ch wrote: > Hi Matt > > Thank you for your statement. > > Let me try to clarify: > > In 3.2.2.4 we specify the Authorization by Domain Name Registrant as follows: > > 3.2.2.4 Authorization by Domain Name Registrant For each Fully-Qualified > Domain Name listed in a Certificate, SG PKI confirms that, as of the date the > Certificate was issued, the Applicant (or the Applicant's Parent Company, > Subsidiary Company or Affiliate, collectively referred to as "Applicant" for > the purpose of this Section) either is the Domain Name Registrant or has > control over the FQDN by: > - communicating directly with the Domain Name Registrant using the contact > information listed in the WHOIS records "registrant", "technical" or > "administrative" field. > - Relying upon a Domain Authorization Document approved by the Domain Name > Registrant. The document MUST be dated on or after the certificate request > date or used by SG PKI to verify a previously issued certificate and that the > Domain Name's WHOIS record has not been modified since the previous > certificate issuance. > The Mozilla policy requires the CPS to reference the specific BR section, so at the very least the CPS is out of compliance because it does not contain these references. > > And in paragraph 4.2 the certificate application process is described and > refers in the end to the before mentioned checklist: > > [...] > The validation process is detailed in a checklist for each certificate type. > [25][26][27] [...] > Mozilla's Required Practices document [1] specifies more details on the amount of disclosure required for a CA's domain validation methods. > > As the checklist potentially needs to be adapted to actual threats, we chose > to leave it in a separate document and refer to it in the CPS to make the > check procedure transparent. > If required, we will adapt this procedure and integrate all steps into the > CPS. That would make the checklist document handling less agile. I would > appreciate some more input on this point from others, before we change that. > I'm familiar with a number of CPS documents and they all include details on domain validation practices. I'm also concerned about the separate document because: 1. It was not accessible when I originally requested it (404) 2. It contains a comment that implies the use of 7 methods instead of just two as stated in the CPS 3. That comment references outdated methods including "any other" 4. It appears that the document hasn't been updated in over a year and it contains no version control information other than a date and "version 1.0" > > Regards > Michael
[1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy