20240920 - DCV email - Towards the end of the use of WHOIS addresses
As a reminder, DCV validation by email allows the use of:
- a list of email addresses linked to the domains to be secured, and defined by the certification authority: admin, administrator, webmaster, hostmaster and postmaster @domain.com
- email addresses present in the domain registration (WHOIS)
However, a researcher recently demonstrated how a negligent gTLD manager had put the security of that gTLD's WHOIS at risk. The CA/B forum quickly concluded that the WHOIS method was risky and should be removed from the DCV-eligible methods.
What consequences?
A ballot proposal has been submitted to the CA/B Forum to prohibit the use of email addresses found in WHOIS during DCV validation.
This proposal will be put to a vote in the coming weeks for an effective ban on November 1 , 2024.
Upcoming changes
This vote has 2 objectives:
- prohibit the use of email addresses registered in WHOIS during DCV validation
- prohibit the reuse of domain validation if the latter was based on an email DCV that used a WHOIS email address
What impact on your valid certificates?
None. These certificates will remain valid until their expiration date.
However, if a reissuance was necessary and the previous DCV validation was carried out via an email address found in the WHOIS, then a new DCV validation will be requested.
Does this vote have a chance of passing?
Yes, at least in part. The schedule may also be revised, but this ban will be implemented eventually, so we must be prepared for it.