[cabfpub] Domain validation

Gervase Markham gerv at mozilla.org
Fri May 8 16:16:41 UTC 2015

Hi Peter,

On 07/05/15 15:27, Peter Bowen wrote:
> Mozilla's policy is more restrictive than the BRs today:
> "for a certificate to be used for SSL-enabled servers, the CA takes
> reasonable measures to verify that the entity submitting the
> certificate signing request has registered the domain(s) referenced in
> the certificate or has been authorized by the domain registrant to act
> on the registrant’s behalf"

I think that in the case of mycompany.cloudapp.net, if that's the name
referenced in the certificate, then mycompany has "registered" that name
with Microsoft, and so the first half of the clause would trigger.

> The BRs give four options: (a) requester ("Applicant") is the domain
> name registrant, (b) registrant has granted requester has the right to
> use the FQDN, (c) someone else has granted requester the right to use
> the FQDN, or (d) requester has control of the FQDN.  Mozilla only
> appears to allow (a) or (b).

I think c) is covered using the logic above (i.e. we are using a looser
understanding of 'registered') and d) is covered too really, because
having control is a /de facto/ right to use. d) and c) are not that


More information about the Public mailing list