CA / B Forum updated phone validation methods

CA B Forum updated phone validation methods

The CA / B Forum, the SSL certificate industry regulator, has adopted new changes regarding phone validation methods.

Ballot SC14 addresses some of the potential security risks associated with method 3 (3.2.2.4.3) of Baseline Requirements. In particular, Ballot SC14 proposes to tighten phone validation to make sure that authorisation or domain management is carried out by an authorised person.

Validation performed under method 3 will remain valid until the end of the specified certificate period, but all new checks will have to use the updated method.

Ballot SC14 is based on the Ballot SC13 proposal, which allows domain owners to publish phone numbers for domain validation in DNS TXT records. Since these phone numbers are specifically designed to validate domains, switching to another number is not allowed.

Changes proposed in Ballot SC14

Ballot SC14 makes the following changes to the Baseline Requirements for the issuance of public certificates.

Section 1.6.1 introduces the following addition:

Phone number in DNS TXT record: phone number defined in section B.2.2.

In section 3.2.2.4.3, the following has been added after the second paragraph: the certification authority must NOT perform validation using this method after May 31, 2019. Already performed validations using this method will remain valid until the certificate is renewed.

Instead of section 3.2.2.4.3, two new sections have been added to the Baseline Requirements document: 3.2.2.4.15 and 3.2.2.4.16.

Section 3.2.2.4.15 deals with phone contact with the domain owner. In particular, this section refers to confirming control of a domain via a telephone call. One phone call can confirm control of several domains if the same phone number is specified for each domain name and a confirmation response has been received regarding ownership of the domain.

The certification authority may leave a random value in the voice message to verify the applicant. This value must be passed to the certification authority to confirm the request. A random value will remain valid for a maximum of 30 days from its inception. Certification authorities may specify a shorter validity period for random values.

Section 3.2.2.4.16 establishes the rules for phone communications via a DNS TXT record. In this case, domain ownership control is checked by calling the number specified in the DNS TXT record. As soon as a confirmation response is received, the full domain name will be verified. The verification rules (for calls and voice messages) here are similar to section 3.2.2.4.15.

An appendix B.2.2 is also added. It marks the rules for setting the DNS TXT records:

DNS TXT-record should be placed on the "_validation-contactphone" sub-domain of the domain that you want to check. The full RDATA value of this TXT record must be a valid global number, as defined in section 5.1.4 of RFC 3966. Otherwise, it will not be used.