Ballot 169 – Revised Validation Requirements

Ballot overview

• Ballot 169 revised the Baseline Requirements domain validation rules.
• The stated purpose was to replace the prior open-ended domain validation method with a specific list of approved methods and to tighten and clarify existing methods.
• The ballot page says voting ended and the ballot passed unanimously.

What changed

• Section 3.2.2.4 was replaced with a new structure for validation of domain authorization or control.
• The new text says the CA must confirm, as of certificate issuance, that each FQDN in the certificate has been validated by the CA or a Delegated Third Party using at least one approved method.
• The ballot adds or clarifies definitions including Authorization Domain Name, Authorized Port, Base Domain Name, Domain Contact, Random Value, Request Token, Required Website Content, and Test Certificate.
• The approved validation methods include:
  • validating the applicant as a domain contact
  • email, fax, SMS, or postal mail to the domain contact
  • phone contact with the domain contact
  • constructed email to the domain contact
  • domain authorization document
  • agreed-upon change to website
  • DNS change
  • IP address
  • test certificate

Effective date and transition

• The ballot states that prior to 1 March 2017, CAs may use either the pre-ballot domain validation methods, the methods in this ballot, or both.
• Effective 1 March 2017, CAs may use only the domain validation methods specified in this ballot, as later amended.

Outcome

• The ballot passed unanimously.
• The page states the effective date is March 1, 2017.