As of August 1, 2018, Certificate Authorities (CAs) are not allowed to use Methods #1 and #5 from section 220.127.116.11 of the Baseline Requirements to validate domain ownership when issuing publicly trusted certificates for use on the web. Continued use of these methods will be considered misissuance and may be subject to revocation or distrust upon short notice, if and when it is discovered.
Method #1 only required comparing the name and address of the domain owner to the applicant and also contained lots of loopholes like allowing attestation letters and the use of third-party databases not intended for this purpose. Method #5 allowed lawyers to write letters asserting ownership of domain names, a subject they are generally not qualified to evaluate. Neither of these methods were particularly secure, and we led the effort to get them removed, as part of an overall focus on improving validation standards. A little background and history is useful in order to help understand why this is an important milestone for the security of the Internet.
Before a certificate for a particular domain name can be issued, the CA must first validate that the person requesting the certificate actually owns or controls the domain name. Historically, the requirements around the mechanics of how this were done were pretty vague and loose. Even worse, CAs were allowed to use “any other method” to validate control of the domain name, as long as they argued it was at least as secure as one of the listed methods. This left lots of room for CAs to cut corners on validation of certificates.
In the spring of 2015, CAs and browsers started working together on improving the requirements for domain validation, a process that still continues today. The first effort was to tighten up the existing validation methods and remove the “any other method” loophole. Over about 18 months, CAs and browsers added more explicit requirements of exactly how validation was to be performed, in order to guarantee that the applicant did in fact own or control the domain. Much of the discussion focused on improving the methods that demonstrate technical control of the domain, through email, phone, or accessing the website directly. Older, less rigorous methods like methods #1 and #5, unfortunately, didn’t receive as much discussion or attention, and survived largely unchanged.
On August 5, 2016, Ballot 169 was finally passed, removing “any other method” and adding detailed technical steps for how to verify technical control of a domain via a variety of means. It was hoped that at least one of the methods would be workable for potential customers. However, some CAs chose not to implement these technical methods, and continued to use older validation methods with less rigorous security properties.
In December of 2017, we again raised concerns about the quality of validations done using these methods, and explained a number of loopholes which could be exploited in order to improperly obtain a digital certificate. Others opposed the effort and argued for the status quo, despite the obvious flaws in the methods. There was a long discussion about potential ways to improve the methods, but in the end, such efforts always ended up turning the method into one of the other more secure methods, like email or phone validation.
On February 5th of this year, Ballot 218 of the CA/Browser Forum (CAB Forum) was finally passed, removing the two methods, with an effective date of August 1, 2018. Going forward, any CA that issues a digital certificate without verifying control of the domain via one of the approved methods is guilty of misissuance. Certificate holders should ask their CA which validation method is being used to validate their certificate, and make sure it is still an approved validation method. If the certificate is not validated using an approved method, there is a significant risk that it will eventually be discovered, and the certificate will be revoked or distrusted on short notice.
Change is hard, but in security it is necessary to stay ahead of evolving threats. We continue to lead efforts to improve the rigor of validation methods, and these efforts meet resistance from those who still advocate for the right to continue doing the same thing that they’ve always done. Nonetheless, this important work moves forward.
This spring, the CAB Forum, encouraged to do so by Mozilla and strongly supported by us, held a very successful all-day Validation Summit this spring, where each method was examined and potential new improvements were proposed. The CAB Forum Validation Working Group will soon propose a new ballot tightening up the rules around validation via telephone. We will continue to be very active in this important work to ensure that only legitimate owners of domain names can get certificates for those domains.