What email addresses are treated as trusted?
It's a rather short list: ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’
Now that's the fixed and static list. But: contact info from WHOIS is also legal.
From the CAB-Forums' Baseline requirements, page 17:
11.1.1 Authorization by Domain Name Registrant
For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN by: [...]
Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;
Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;
Edit 2015-03-21: Entrust blog. Here's a nice blog entry with some backstory.
Bruce Morton, Entrust Identity ON Blog, 2015-03-20, What Happened with Live.fi? (Archived here.)
Interesting quote here:
The attack we are talking about has been performed before in 2009. It was done to the RapidSSL CA where they provided fourteen email addresses for the subscriber to choose from. In this case the attack was also done against another Microsoft domain login.live.com where the subscriber registered [email protected], then requested the certificate using the email address they controlled. This created a security furor to limit the email addresses.
Edit 2015-03-24: WHOIS The "Baseline Requirements" also allow E-mail addresses from WHOIS records. I have updated this above.