<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If the reseller happens to be a domain registrar, it’s possible they can/do include one of these email addresses as a Who-is contact and also set up that email
 account for the user, which is completely acceptable.  The domain owner has “approved” this email for their who-is which is then used for domain control.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I’m just guessing, but that is one way to advertise a different list of approver emails and then actually use them in a compliant way.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Doug<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Monday, March 30, 2015 10:52 AM<br>
<b>To:</b> Adriano Santoni - Actalis S.p.A.<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Non-whitelisted email addresses used for DV issuing<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>I had also contacted CERT for more evidence of the CAs affected. Several CAs listed as affected, when reviewing their CPS, clearly indicated otherwise.<o:p></o:p></p>
<p>It's unclear what evidence exists, other than that reseller page. That said, I have noted numerous resellers making claims of acceptable email addresses that are not in line with the issuing CA's CPS. I can assume this is caused by out of date information
 by the reseller, and not an accurate statement of reality, for as Gerv notes, the whitelist of acceptable emails is abundantly clear.<o:p></o:p></p>
<p>This may be a good opportunity for CAs to reach out to their resellers and ensure correct and current documentation. Obviously, it can reflect poorly on the CA when the reseller is making inaccurate claims - and reflects even poorer if the claims are accurate.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Mar 30, 2015 5:37 AM, "Adriano Santoni - Actalis S.p.A." <<a href="mailto:adriano.santoni@staff.aruba.it">adriano.santoni@staff.aruba.it</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Calibri",sans-serif">That list cought me by surprise, as I am not aware that we allow non-white listed email addresses. Besides, to date we have not even started checking domain control
 by email....<br>
<br>
I contacted CERT to try and find out how they figured out which CAs are "affected" and which not (apart from reading CPS's).<br>
<br>
Adriano<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">Il 30/03/2015 12:07, Gervase Markham ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hi everyone,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On 30/03/15 10:47, Sigbjørn Vik wrote:<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>According to <a href="http://www.kb.cert.org/vuls/id/591120" target="_blank">http://www.kb.cert.org/vuls/id/591120</a>, some issuers use<o:p></o:p></pre>
<pre>non-whitelisted email addresses to verify domain ownership.<o:p></o:p></pre>
</blockquote>
<pre>Thanks for bringing this up. This came to Mozilla's attention over the<o:p></o:p></pre>
<pre>weekend as well. Could all CAs please check that they and their RAs are<o:p></o:p></pre>
<pre>conforming to the BRs on this issue?<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>BRs 11.1.1.4 say:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">"11.1.1 Authorization by Domain Name Registrant<o:p></o:p></a></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)"><o:p><span style="text-decoration:none"> </span></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">For each Fully-Qualified Domain Name listed in a Certificate, the CA<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">SHALL confirm that, as of the date the Certificate  was  issued,  the<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">Applicant ... either is the Domain Name Registrant or has control over<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">the FQDN by:<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)"><o:p><span style="text-decoration:none"> </span></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">...<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)"><o:p><span style="text-decoration:none"> </span></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">4. Communicating with the Domain’s administrator using an email address<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’,<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign<o:p></o:p></a></span></pre>
<pre><span class="MsoHyperlink"><a href="mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)">(“@”)</a></span>, followed by the Domain Name, which may be formed by pruning zero<o:p></o:p></pre>
<pre>or more components from therequested FQDN"<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Mozilla believes the BRs are clear here: it is not acceptable to issue<o:p></o:p></pre>
<pre>certs using email confirmation where the email address is not either in<o:p></o:p></pre>
<pre>the relevant parts of WHOIS or has a localpart which exactly matches one<o:p></o:p></pre>
<pre>of those five options.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Gerv<o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">-- <br>
<i>Adriano Santoni</i> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>