2018 marked a year that was full of change in the world of SSL/TLS certificates. From new limits and certificate lifetimes to the full adoption of Certificate Transparency, the SSL world has become both increasingly interesting and complex for security-conscious professionals and organizations.
The validation process for SSL/TLS certificates also changed considerably in 2018, as the CA/Browser Forum looked to make processes even more secure. The biggest change happened in August when two domain validation methods were eliminated from the list of acceptable ways to verify domain control or ownership.
In addition to these industry changes, new privacy laws in Europe have greatly impacted the availability of WHOIS data for most global organizations. For the last 20 years, WHOIS has been the source of information that certification authorities (CAs) have used to confirm who owns or operates a website. Email-based verification using WHOIS data has always been very popular due to its ease of use. A CA could check a domain WHOIS record, locate the owner’s email address and send out a confirmation email to validate a domain. While this method is still acceptable, many organizations cannot rely on it anymore because several domain registrars have blocked this information to comply with new data privacy laws.
As a result, organizations have been limited to other proof-of-domain control methods that involve uploading a random value to either a web server or DNS record to show a CA that they control the domain and can authorize a certificate to be issued. These are not one-time checks – the CA/B Forum requires that domain control be reconfirmed with a new random value every 13 months for Extended Validation and every 27 months for Organization Validation. Large organizations are continuously updating DNS records to perform domain validation and revalidation, which requires constant communication with various server and DNS administrators.
But there’s good news for those of you feeling this pain – the CA/B Forum has recently approved new methods that will bring back a reliable email mechanism for domain validation. With organizations not having full control over what information is pushed out to the world in WHOIS, the best available alternative is to leverage DNS records where organizations have full control of the information they chose to publish in their records. With email validation via DNS, the idea is to allow organizations to place an email address in specific areas of DNS such as CAA or TXT records, where CAs can locate the email address and send a confirmation message.
Another piece of news I am excited to share is we are building these new domain verification methods into our full self-service domain verification system for enterprise customers. Our system is being designed so that a pre-loaded email address in DNS can be detected during domain verification and allow to you send out a confirmation email right away. With a properly configured DNS email address, domain verification turnaround times can be greatly reduced, and you will only need to ask for a single DNS record update that can be used for years to come.
Please join me for a webinar discussion and demo, Wednesday, May 8 at 11:00am EDT, where I will further discuss these new industry changes, how we predict they will change the game when it comes to domain verification and best practices for leveraging our new self-service system to stay ahead of the domain verification process.