Hello,
During a recent review of domain validation practices across the industry, it has become apparent that CP/CPSs of several CAs have not been updated to reflect changes to allowed domain validation methods over the past two years.
Given that CAs must accurately document and exhaustively list the domain validation methods used in their processes [1], I encourage CAs to review their policy documents to ensure that they are compliant with the current Baseline Requirements. Special attention should be paid to changes surrounding ballots SC14 [2], SC25 [3], and SC33 [4], where several domain validation methods were prohibited and replacement methods defined.
Thanks,
Corey
[1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements
[2] https://cabforum.org/2019/02/01/ballot-sc14-updated-phone-validation-methods/
[3] https://cabforum.org/2020/02/01/ballot-sc25-define-new-http-domain-validation-methods-v2/
[4] https://cabforum.org/2020/08/14/ballot-sc33-tls-using-alpn-method/
Hello,
During a recent review of domain validation practices across the industry, it has become apparent that CP/CPSs of several CAs have not been updated to reflect changes to allowed domain validation methods over the past two years.
Given that CAs must accurately document and exhaustively list the domain validation methods used in their processes [1], I encourage CAs to review their policy documents to ensure that they are compliant with the current Baseline Requirements. Special attention should be paid to changes surrounding ballots SC14 [2], SC25 [3], and SC33 [4], where several domain validation methods were prohibited and replacement methods defined.
Thanks,
Corey