SC-102: EVG Domain Ownership Validation Reuse#661
Open
dustinhollenback-apple wants to merge 7 commits intocabforum:mainfrom
Open
Conversation
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated. This still provides a higher bar for data re-use than is present in the Baseline Requirements. Additionally, the EVGs hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs. This ballot makes three changes: 1. Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1 with a prioritized set of methods: first attempting verification via an authenticated channel with the domain registrar or registry, then falling back to a recent domain control validation, and finally performing a new domain control validation. 2. Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3 with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments. 3. Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated. This still provides a higher bar for data re-use than is present in the Baseline Requirements. Additionally, the EVGs hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs. This ballot makes three changes: 1. Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1 with a prioritized set of methods: first attempting verification via an authenticated channel with the domain registrar or registry, then falling back to a recent domain control validation, and finally performing a new domain control validation. 2. Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3 with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments. 3. Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.
Add requirement for CA to verify domain name usage for EV Certificates.
Summary
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated.
Additionally, analysis of the interaction between Sections 3.2.2.14.1 and 3.2.2.14.3 revealed structural gaps in the existing EV revalidation framework: CAs could selectively reuse certain validation items while routing domain validation through a less restrictive path, the absence of a hard outer limit on continuous reuse allowed indefinite reliance on prior verification, and the domain data reuse provision in Section 3.2.2.14.3 did not require confirmation that a domain remained registered to the same legal entity. This ballot addresses those gaps alongside the WHOIS modernization.
The EVGs also hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs.
This ballot makes six changes:
1. Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1(6) with three acceptable methods for confirming that a domain name remains registered to the same legal entity: verification via an authenticated channel with the domain registrar or registry, reliance on a domain control validation less than 48 hours old, or performing a new domain control validation.
2. Adds a hard outer limit to Section 3.2.2.14.1: a CA may not rely on prior authentication and verification under this section if more than the maximum domain name reuse period specified in Section
4.2.1 of the Baseline Requirements has elapsed since the CA last performed a complete verification without reliance on this section.
3. Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3(1)(F) with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments.
4. Adds a same-entity confirmation requirement to Section 3.2.2.14.3(1)(F): prior to each reuse of domain name validation data, the CA must confirm the domain remains registered to the same legal entity using one of the methods specified in Section 3.2.2.14.1(6).
5. Adds paragraph 5 to Section 3.2.2.14.3: where a CA relies on Section 3.2.2.14.1 for any item listed in that section, it must also comply with Section 3.2.2.14.1(6) for domain name verification.
This prevents selective reuse of identity items without the corresponding domain ownership confirmation.
6. Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.
losoy88
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated. This still provides a higher bar for data re-use than is present in the Baseline Requirements.
Additionally, the EVGs hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs.
This ballot makes three changes:
Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1 with a prioritized set of methods: first attempting verification via an authenticated channel with the domain registrar or registry, then falling back to a recent domain control validation, and finally performing a new domain control validation.
Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3 with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments.
Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.