[cabfpub] Non-whitelisted email addresses used for DV issuing

Gervase Markham gerv at mozilla.org
Mon Mar 30 03:07:08 MST 2015


Hi everyone,

On 30/03/15 10:47, Sigbjørn Vik wrote:
> According to http://www.kb.cert.org/vuls/id/591120, some issuers use
> non-whitelisted email addresses to verify domain ownership.

Thanks for bringing this up. This came to Mozilla's attention over the
weekend as well. Could all CAs please check that they and their RAs are
conforming to the BRs on this issue?

BRs 11.1.1.4 say:

"11.1.1 Authorization by Domain Name Registrant

For each Fully-Qualified Domain Name listed in a Certificate, the CA
SHALL confirm that, as of the date the Certificate  was  issued,  the
Applicant ... either is the Domain Name Registrant or has control over
the FQDN by:

...

4. Communicating with the Domain’s administrator using an email address
created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’,
‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign
(“@”), followed by the Domain Name, which may be formed by pruning zero
or more components from therequested FQDN"

Mozilla believes the BRs are clear here: it is not acceptable to issue
certs using email confirmation where the email address is not either in
the relevant parts of WHOIS or has a localpart which exactly matches one
of those five options.

Gerv


More information about the Public mailing list