SC-102: EVG Domain Ownership Validation Reuse#661
Open
dustinhollenback-apple wants to merge 7 commits into
Open
Conversation
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated. This still provides a higher bar for data re-use than is present in the Baseline Requirements. Additionally, the EVGs hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs. This ballot makes three changes: 1. Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1 with a prioritized set of methods: first attempting verification via an authenticated channel with the domain registrar or registry, then falling back to a recent domain control validation, and finally performing a new domain control validation. 2. Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3 with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments. 3. Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated. This still provides a higher bar for data re-use than is present in the Baseline Requirements. Additionally, the EVGs hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs. This ballot makes three changes: 1. Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1 with a prioritized set of methods: first attempting verification via an authenticated channel with the domain registrar or registry, then falling back to a recent domain control validation, and finally performing a new domain control validation. 2. Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3 with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments. 3. Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.
Add requirement for CA to verify domain name usage for EV Certificates.
Summary
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated.
Additionally, analysis of the interaction between Sections 3.2.2.14.1 and 3.2.2.14.3 revealed structural gaps in the existing EV revalidation framework: CAs could selectively reuse certain validation items while routing domain validation through a less restrictive path, the absence of a hard outer limit on continuous reuse allowed indefinite reliance on prior verification, and the domain data reuse provision in Section 3.2.2.14.3 did not require confirmation that a domain remained registered to the same legal entity. This ballot addresses those gaps alongside the WHOIS modernization.
The EVGs also hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs.
This ballot makes six changes:
1. Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1(6) with three acceptable methods for confirming that a domain name remains registered to the same legal entity: verification via an authenticated channel with the domain registrar or registry, reliance on a domain control validation less than 48 hours old, or performing a new domain control validation.
2. Adds a hard outer limit to Section 3.2.2.14.1: a CA may not rely on prior authentication and verification under this section if more than the maximum domain name reuse period specified in Section
4.2.1 of the Baseline Requirements has elapsed since the CA last performed a complete verification without reliance on this section.
3. Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3(1)(F) with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments.
4. Adds a same-entity confirmation requirement to Section 3.2.2.14.3(1)(F): prior to each reuse of domain name validation data, the CA must confirm the domain remains registered to the same legal entity using one of the methods specified in Section 3.2.2.14.1(6).
5. Adds paragraph 5 to Section 3.2.2.14.3: where a CA relies on Section 3.2.2.14.1 for any item listed in that section, it must also comply with Section 3.2.2.14.1(6) for domain name verification.
This prevents selective reuse of identity items without the corresponding domain ownership confirmation.
6. Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.
losoy88
approved these changes
Apr 30, 2026
dustinhollenback-apple
added a commit
to dustinhollenback-apple/servercert
that referenced
this pull request
Jun 10, 2026
…h the Baseline Requirements ## Summary This is an alternative draft of SC-102. Where the current draft (cabforum#661) adds an EV-specific requirement to re-confirm that a domain remains registered to the same Legal Entity, this version instead aligns EV domain re-validation directly with the Baseline Requirements and removes hardcoded values that have become stale. The EV Guidelines currently: - require CAs to re-check WHOIS or RDAP registration data when revalidating domain names for existing subscribers (Section 3.2.2.14.1); - hardcode "398 days" as the Domain Name data reuse period (Section 3.2.2.14.3); and - hardcode an EV certificate validity ceiling of 398 days plus a recommended twelve-month maximum (Section 6.3.2). With WHOIS-based validation sunsetting (SC-080) and the Baseline Requirements now carrying a schedule that reduces both validity and data reuse periods over time (SC-081), these provisions are out of date. The 398-day validity ceiling and the 398-day domain reuse period are both already superseded by the Baseline Requirements (200 days today, reducing further on the published schedule). Read in isolation they suggest, incorrectly, that EV certificates may have longer lifetimes or longer data reuse than other TLS certificates. An EV certificate is a TLS Subscriber Certificate and is bound by the BR limits. ## Changes This ballot makes four changes: 1. Section 3.2.2.14.1(6): removes the WHOIS/RDAP same-registrant test. The Applicant's right to use the Domain Name is re-verified under Section 3.2.2.7 (which follows BR Section 3.2.2.4), at the data reuse cadence set in Section 3.2.2.14.3(1)(F). 2. Section 3.2.2.14.3(1)(F): replaces the hardcoded "398 days" Domain Name reuse period with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG tracks the planned reductions automatically. 3. Section 3.2.2.14.3(2): corrects the "398-day period" sentence, which is no longer accurate for every item once item (F) references the Baseline Requirements. 4. Section 6.3.2: replaces the stale EV validity language with a reference to Section 6.3.2 of the Baseline Requirements. The identity-data reuse periods in Section 3.2.2.14.3(1)(A) through (E) and (G) are unchanged; they remain at 398 days, which matches the BR Subject Identity Information reuse period.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The EV Guidelines currently require CAs to verify WHOIS records when revalidating domain names for existing subscribers (Section 3.2.2.14.1). With the TLS BRs sunsetting WHOIS-based validation methods (SC-080) and the broader industry move away from reliance on WHOIS data, this requirement needs to be updated. This still provides a higher bar for data re-use than is present in the Baseline Requirements.
Additionally, the EVGs hardcode specific values for certificate validity periods (Section 6.3.2) and domain name validation data reuse periods (Section 3.2.2.14.3). With the TLS Baseline Requirements now containing a schedule of reducing validity periods and data reuse periods (introduced by SC-081), these hardcoded values risk becoming stale or giving the misleading impression that EV certificates are subject to less restrictive limits than the TLS BRs.
This ballot makes three changes:
Replaces the WHOIS-based domain revalidation requirement in Section 3.2.2.14.1 with a prioritized set of methods: first attempting verification via an authenticated channel with the domain registrar or registry, then falling back to a recent domain control validation, and finally performing a new domain control validation.
Replaces the hardcoded "398 days" domain name reuse period in Section 3.2.2.14.3 with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG automatically follows the planned reductions without requiring further EVG amendments.
Removes the EV-specific validity period language in Section 6.3.2, allowing the TLS BR requirements to govern directly.