New policies for validation of domains for TLS Certificates
When Buypass issues TLS Certificates one or more domain names always are included in the certificate. An important task for Certificate Authorities (CA) is to make sure that the certificate is issued to the rightful owner of the domain. All users on the Internet should be confident that certificates used for securing communication are correctly and reliably issued.
‘Ten Blessed Methods’
CA/Browser Forum is responsible for defining the required validation procedures for issuing of TLS certificates. In August 2016 it published a list consisting of ten approved methods for domain validation. Qualified certificate authorities must adhere to one or more of these methods. In connection with Ballot 218 the CA/Browser Forum in early February 2018 decided to omit method 1 and method 5 from the approved methods list. Method 1 states that it is sufficient to verify that the orderer of a TLS Certificate is identical with the registered domain owner. The background for this decision was that certain certificate authorities used these methods, and issued certificates based on dubious data quality of domains. Buypass has also been applying method 1 for domain validation. However, only high quality public and private registers have been integrated in our production process. This decision to omit method 1 and 5 comes into force as of August 2018.
Application of new domain validation method
Buypass is currently implementing an alternative to method 1 to comply with the requirements from CA/Browser Forum. We have chosen to apply validation methods querying WHOIS for information about the domain owner. Buypass then asks for approval from the domain owner preferably by phone or e-mail based on the retrieved information.
GDPR complicates the process
The EU General Data Protection Regulation - GDPR - introduced in May 2018 aims to restrict registration of information and the distribution of registered data. This has also affected the open WHOIS protocol. Access to required data managed by WHOIS used in domain validation has been severely limited. There is work going on to open the access to legitimate users of this information (such as certificate authorities), though it is likely to take some time before access to this data is (fully) restored.
Consequence for customers
The changes to these policies put Buypass in a challenging situation. We are continuously assessing alternative validation methods. But, due to the short timeframe for implementing an acceptable and lasting solution, we will temporarily be required to contact domain owners in one way or the other (phone or e-mail) before we can issue a TLS-certificate. Some customers will unfortunately experience longer lead time for issuance of DV TLS-certificates for some time. We regret the inconvenience. At the same time we want to emphasise that Buypass’ mission is to secure transaction on the Internet, and never will compromise on compliance or quality.
Help us help you
To make the issuance process as smooth and speedy as possible we encourage customers and domain owners to allow communication via one of the following standard mail-addresses: admin@<domain>, administrator@<domain>, webmaster@<domain>, hostmaster@<domain>, or postmaster@<domain>.