In September, the CA/Browser Forum, a consortium of certificate authorities (CAs) and browser vendors, proposed significant changes to the Baseline Requirements domain control validation (DCV) methods – specifically, the elimination of the domain verification method that relies on WHOIS information. The proposed ballot affects how CAs validate domain ownership. This initiative aims to enhance the security and reliability of the certificate issuance process, encouraging the adoption of more secure and reliable DCV methods.
Background on WHOIS-Based Email Verification
For the last 20 years, WHOIS has been one of the methods of verification that CAs have used to confirm who owns or operates a website. Email-based verification using WHOIS data as part of the DCV process has always been very popular due to its ease of use.
However, several issues have emerged with this method:
- Security Vulnerabilities: Researchers uncovered that certain top-level domains (TLDs) maintained outdated authoritative WHOIS servers, and some CAs continued to rely on legacy WHOIS servers hardcoded within their validation systems. This vulnerability allowed malicious actors to inject false data into the WHOIS records, ultimately enabling unauthorized parties to acquire TLS certificates for domains they did not control.
- Privacy Regulations: Changes in privacy laws have resulted in the redaction of WHOIS data, making it less reliable for verification purposes.
Details of the Proposal
In response to these concerns, the CA/Browser Forum has put forth Ballot SC-080 V3, which proposes the following:
- Tighten the current requirements for WHOIS-based domain validation: Effective January 15, 2025, CAs will be prohibited from relying on domain contact information (email address or phone number) obtained using an HTTPS website and must directly obtain the contact information via WHOIS protocol (RFC 3912) or the Registry Data Access Protocol (RFC 7482).
- Prohibition of WHOIS for domain contact identification: Effective July 15, 2025, WHOIS-based domain validation must not be used. In addition to this, prior validations using this method cannot be used to issue new certificates.
- Transition to alternative DCV methods:
- Email to DNS TXT Contact: This is the recommended alternative if you wish to continue to verify domains using an “email” method. It involves verifying your domain by emailing the contact listed in the DNS TXT record. It requires a one-time setup per domain but enables automated emails for future validations.
- DNS TXT (Random Value in DNS): Verifying the domain by creating a TXT record in DNS with a random value provided by the CA.
- Constructed Email to Domain Contact: Sending an authorization email to one of five generic email addresses (admin@, postmaster@, hostmaster@, webmaster@, administrator@).
- Web Server Verification: Confirming control of the domain by verifying the presence of a token or random value in a file on the website (not applicable for wildcard certificates and only usable for fully qualified domain names).
Next Steps
To prepare for these upcoming changes and prevent the need for repeated domain reverification, Entrust will discontinue the WHOIS-based domain verification method effective November 27, 2024. Domains validated using this must be reverified by March 31, 2025. We also recommend that organizations avoid verifying domains that rely on WHOIS information immediately and use one of the alternative DCV methods. For more information, please refer to our Knowledge Base article: Verification Help: Domain Verification Methods | Entrust.