The CA/Browser Forum continues to improve domain name validation for SSL/TLS certificates. Following new methods to verify domain names using emails with CAA and DNS TXT, there are new methods to validate domain names using phone calls.
CA/Browser Forum ballot SC14 will replace method 3, by using a phone number found in one of the following two methods:
- Method 15: WHOIS domain contact phone number
- Method 16: DNS TXT record phone contact
Certification authorities (CAs) may still use method 3 no later than May 31, 2019.
Method 15 – Phone Contact with Domain Contact
Method 15 is really an update to method 3. The CA will use the domain registration process to review WHOIS and find a phone number for a domain contact. The domain contact can then approve the use of the domain name by the certificate requester. If someone else answers the call, the updated method will allow the call to be transferred to the domain contact.
If voicemail is reached, the CA may leave a message with a random value which expires in 30 days. The domain contact can then confirm domain use by providing the random value in their response communication.
Method 15 may suffer from GDPR issues, where the domain contact name and phone number are considered to be private information. In this case, the information may not provide in WHOIS, so another domain validation method will have to be sued.
Method 16 – Phone Contact with DNS TXT Record Phone Contact
Method 16 supports GDPR by allowing a phone contact telephone number to be provided as a DNS TXT record. In this case, the phone number is not associated with a person’s name.
To support method 16, the DNS administrator will have to create a DNS TXT record with a “_validation-contactphone” subdomain. The record will include a valid phone number meeting the requirements of RFC section 5.1.4.
For method 16, the phone call should not knowingly be transferred as the number was provided specifically for domain validation. If a voicemail is reached, then the random value can be used similar to method 15.
There will be one more method to validate a domain name using a phone number which will probably be proposed later in the year. This method will allow the domain owner to add the phone number in a CAA record associated with domain. Stay tuned.