WHOIS Email DCV Deprecation
Upcoming changes impacting WHOIS-based domain-validation
Recent vulnerabilities in the domain name WHOIS system have highlighted the WHOIS-based domain-validation method as a weakness in the process of validating publicly-trusted digital certificates.
A ballot is expected to pass in the CA/Browser Forum (CABF) requiring that WHOIS-listed email addresses are no longer acceptable for domain validation, nor can historic domain validations based on WHOIS email addresses be reused.
As a result, Sectigo and all other public Certificate Authorities will be required to:
- No longer allow WHOIS-based email addresses for domain validation.
- No longer allow certificates to be issued based on a WHOIS email address validation. Domains must be re-validated using an accepted, non-WHOIS method.
We will continue to update this page whenever new developments occur.
FAQs
If you have any existing domain validations affected, you will need to re-verify them using alternative DCV methods.
If you do not do so, no certificates will be issued for those name(s) until a new domain validations is completed using an accepted method, after the affective date.
Email, DNS and HTTP methods are still available.
Email validation is still accepted using 'constructed' email addresses - admin@, administrator@, hostmaster@, postmaster@ and webmaster@ yourdomain.com.
However, we strongly recommend that you look to use DNS-based domain validation as this can be more easily automated in preparation for shorter-lifetime certificates.
No. No certificates that were validated based on WHOIS emails will be revoked. However, after a date yet to confirmed, no more certificates can be issued based on WHOIS email validation, so you will need to re-validate your domain(s) using accepted methods.
Please contact Sectigo Support or your Account Manager if you have any further questions.