Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20240920 - DCV email - Towards the end of the use of WHOIS addresses

As a reminder, DCV validation by email allows the use of:

  • a list of email addresses linked to the domains to be secured, and defined by the certification authority: admin, administrator, webmaster, hostmaster and postmaster @domain.com
  • email addresses present in the domain registration (WHOIS)

However, a researcher recently demonstrated how a negligent gTLD manager had put the security of that gTLD's WHOIS at risk. The CA/B forum quickly concluded that the WHOIS method was risky and should be removed from the DCV-eligible methods.

What consequences?

A ballot proposal has been submitted to the CA/B Forum to prohibit the use of email addresses found in WHOIS during DCV validation.

This proposal will be put to a vote in the coming weeks for an effective ban on November 1 , 2024.

Upcoming changes

This vote has 2 objectives:

  • prohibit the use of email addresses registered in WHOIS during DCV validation
  • prohibit the reuse of domain validation if the latter was based on an email DCV that used a WHOIS email address

What impact on your valid certificates?

None. These certificates will remain valid until their expiration date.

However, if a reissuance was necessary and the previous DCV validation was carried out via an email address found in the WHOIS, then a new DCV validation will be requested.

Does this vote have a chance of passing?

Yes, at least in part. The schedule may also be revised, but this ban will be implemented eventually, so we must be prepared for it.

Useful links