{"id":7008,"date":"2018-08-06T13:29:09","date_gmt":"2018-08-06T17:29:09","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=7008"},"modified":"2018-08-07T14:48:33","modified_gmt":"2018-08-07T18:48:33","slug":"cab-forum-bans-whois-legal-opinions-for-domain-validation","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/cab-forum-bans-whois-legal-opinions-for-domain-validation\/","title":{"rendered":"CAB Forum bans WHOIS, Legal Opinions for Domain Validation"},"content":{"rendered":"<h2>Two recent updates to the baseline requirements will strengthen domain validation<\/h2>\n<p>On August 1, a couple of new changes to the baseline requirements that govern the issuance of digital certificates went into effect. Certificate Authorities are no longer allowed to use methods #1 and #5 from section 3.2.2.4 to validate domain ownership. Or, put in laymen\u2019s terms, CAs will no longer be allowed rely solely upon WHOIS look ups and legal opinion letters to validate ownership of a domain.<\/p>\n<p>There\u2019s a little bit to unpack here, so let\u2019s start from the top with a quick refresher on the CAB Forum before we get into the actual substance of the changes.<span id=\"newline\"><\/span><\/p>\n<p>The Certificate Authority\/Browser Forum or CAB Forum serves as a de facto regulatory body for the digital certificate industry. Comprised Certificate Authorities and the major browsers, the Forum is responsible for determining the baseline requirements that govern certificate issuance.<\/p>\n<p>The CAB Forum has been actively working to improve domain validation since around the Spring of 2015. <a href=\"https:\/\/www.digicert.com\/blog\/new-cab-forum-validation-rules-go-into-effect-today\/\" target=\"_blank\" rel=\"nofollow noopener\">As DigiCert\u2019s Tim Hollebeek puts it<\/a>:<\/p>\n<blockquote><p>Historically, the requirements around the mechanics of how [domain validation was] done were pretty vague and loose. Even worse, CAs were allowed to use \u201cany other method\u201d to validate control of the domain name, as long as they argued it was at least as secure as one of the listed methods. This left lots of room for CAs to cut corners on validation of certificates.<\/p><\/blockquote>\n<p>So, on August 5, 2016, <a href=\"https:\/\/cabforum.org\/2016\/08\/05\/ballot-169-revised-validation-requirements\/\" target=\"_blank\" rel=\"nofollow noopener\">Ballot 169<\/a> was passed. It officially removed the \u201cany other methods\u201d portion of the baseline requirements. It was hoped that some of the new technical steps that were added at the time would be used by the CAs, thus ensuring stronger validation, but most CAs opted not to implement these new methods and instead continued using older methods.<\/p>\n<p>In response, in December of 2017 the CAB Forum again set out to strengthen domain validation, this time by eliminating a pair of older validation methods that have been deemed unsafe.<\/p>\n<p>In February, <a href=\"https:\/\/cabforum.org\/2018\/02\/05\/ballot-218-remove-validation-methods-1-5\/\" target=\"_blank\" rel=\"nofollow noopener\">Ballot 218<\/a> was passed. This ballot effectively eliminates two methods for domain validation: Method #1, WHOIS lookups and Method #5, Legal Opinion Letters. Both methods were amended so that they will no longer be usable by Certificate Authorities as of August 1, 2018.<\/p>\n<p>Continuing to just use WHOIS lookups or legal opinions to validate domain ownership will be considered mis-issuance and will be subject to revocation and\/or distrust upon discovery.<\/p>\n<p>Frankly, these changes shouldn\u2019t be a major issue for most CAs. <a href=\"https:\/\/www.digicert.com\/blog\/new-cab-forum-validation-rules-go-into-effect-today\/\" target=\"_blank\" rel=\"nofollow noopener\">The WHOIS lookup was already in question as a result of the GDPR<\/a>. Currently, ICANN and the Domain Registrar industry are wrestling with how to redact WHOIS, and whether it should be public at all. Rather than wait for a fix, the CAB Forum has moved ahead without WHOIS and similar looks-ups under Method #1, which also allowed for attestation letters and third-party databases that were never intended for domain validation in the first place.<\/p>\n<p>Likewise, in the debate leading up to Ballot 218, there was very little evidence presented that CAs were even using Method #5, which allows attorneys and accountants to write letters asserting ownership of a given domain. The CAB Forum felt this was a subject that they were not especially qualified to evaluate.<\/p>\n<p>It is worth noting that legal opinion letters are still useful for other kinds of validation, specifically as it relates to Organization and Extended Validation SSL certificates, but as a means for verifying domain ownership legal opinion letters are no longer allowed.<\/p>\n<h2>What methods may still be used to validate domain ownership?<\/h2>\n<p>Glad you asked! There are still a number of methods that can be used to validate domain ownership by a certificate authority. For a complete idea, I\u2019d recommend you take a gander at the baseline requirements in full. But if you don\u2019t feel like delving into 63 pages of legalese, here\u2019s an abridged version:<\/p>\n<ul>\n<li>Method #2 \u2013 A CA can confirm domain ownership by sending a random value via email, fax, SMS or snail mail and then receiving a confirming response using the random value.<\/li>\n<li>Method #3 \u2013 A CA can confirm domain ownership by calling the registrant\u2019s phone number and obtaining a response confirming the applicant\u2019s request for validation.<\/li>\n<li>Method #4 \u2013 A CA can confirm domain ownership by sending an email to one or more of the following pre-approved addresses:\n<ul>\n<li>Admin@Domain<\/li>\n<li>Administrator@Domain<\/li>\n<li>Webmaster@Domain<\/li>\n<li>Hostmaster@Domain<\/li>\n<li>Postmaster@Domain<br \/>\nNOTE: The CA can also send verification email to the registrant contact on the WHOIS listing, if applicable.<\/li>\n<\/ul>\n<\/li>\n<li>Method #6 \u2013 A CA can confirm domain ownership by confirming an agreed-upon change to the website.<\/li>\n<li>Method #7 \u2013 A CA can confirm domain ownership by confirming the presence of a random value in the website\u2019s DNS CNAME, TXT or CAA record.<\/li>\n<li>Method #8 \u2013 A CA can confirm domain ownership by confirming that the applicant controls an IP address.<\/li>\n<li>Method #9 \u2013 A CA can confirm domain ownership by confirming the presence of a non-expired test certificate on the website.<\/li>\n<li>Method #10 \u2013 A CA can confirm domain ownership by confirming the presence of a random value within a certificate at that domain, which is accessible by the CA via TLS over an authorized port.<\/li>\n<\/ul>\n<p>Currently there is work being done at the CAB Forum to codify a requirement for CAs to publish the validation method used within the certificate details. The Forum hopes this will identify the most common validation methods in use while also helping to find mis-issuances.<\/p>\n<p>As always, feel free to leave your questions and comments below.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Two recent updates to the baseline requirements will strengthen domain validation On August 1, a couple of new changes to the baseline requirements that govern the issuance of digital certificates&#8230;<\/p>\n","protected":false},"author":6,"featured_media":7009,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[8179,235,8180],"class_list":["post-7008","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-baseline-requirements","tag-cab-forum","tag-domain-validation","post-with-tags"],"views":11785,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-Notary-public-signing-document-150042050.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7008","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=7008"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7008\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/7009"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=7008"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=7008"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=7008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}