In 2018, the CA/Browser Forum held a domain validation summit to the review the approved domain validation methods. The meeting covered benefits and issues with each validation method. The outcome of the meeting resulted in proposals to change existing methods and some proposals for new methods.
Coinciding with the validation method discussion was the implementation of GDPR. This is a European initiate for privacy protection. GDPR compliance has provided issues with the use of Method 2 where the email address or the phone number found in the WHOIS record for the domain name was no longer provided. This meant that the certification authorities (CAs) could no longer use this information to contact the domain name registrant to confirm authorization to issue a certificate with the requested domain name.
Method 13 was developed to address the GDPR issue and was approved by the CA/Browser Forum in December 2018. Method 13 allows an email address to be posted in a CAA record or in DNS text associated with the domain name. Once the email address is obtained, most of the domain validation rules are similar to Method 2. The CA would have to send a random value in the email and the confirming response would have include the random value. The response would have to be provided within 30 days, otherwise the random value will expire.
The email address can be used for 13 months to validate domains used for EV certificates and 825-days for OV/DV certificates. The email address can also be used to confirm subdomains and wildcard certificates using the approved domain name.
CAA Email Contact
To use Method 13, DNS administrators will have to set up a DNS CAA Email Contact associated with their domain name.
Here is an example for the CAA record using domain name example.com
- $ORIGIN example.com
- CAA 0 contactemail [email protected]
Requirements for the email address are defined in RFC 6532 section 3.2, with no additional padding or structure.
Note that the CAA record does not have to have a CAA issue record. This means the DNS CAA Email Contact can be used by all CAs. Restrictions can be implemented by adding in a CAA issue record(s) to limit the authorized CAs.
DNS TXT Record Contact
The DNS TXT Record Email Contact email address must be placed specifically in a subdomain called “_validation-contactemail” of the domain being validated.
The email address for DNS TXT must also comply with RFC 6532 section 3.2, with no additional padding or structure.
Method 13 is the first step as the CA/Browser Forum begins to add new methods for updating domain name validation. In 2019, we can also look forward to adding phone numbers to CAA and DNS TXT to provide more options for domains verification.