Ballot SC080v3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods
Server Certificate Working Group
Key dates
- Effective date
- 15 Jan 2025 1 year ago
- Voting opened
- 31 Oct 2024 1 year ago
- Voting closed
- 07 Nov 2024 1 year ago
- Discussion opened
- 23 Oct 2024 1 year ago
- Discussion closed
- 31 Oct 2024 1 year ago
Resources
AI Summary
Result
- Ballot SC080v3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods
- Voting results: 23 Certificate Issuers voted YES, 0 voted NO, 1 ABSTAIN; 3 Certificate Consumers voted YES, 0 voted NO, 0 ABSTAIN
- Bylaws requirements for adoption were MET (including quorum)
What the ballot changes
- Objective 1: Enhance WHOIS/RDAP validation of gTLDs with comparable security properties to DNS-based validation
- Objective 2: Sunset Methods 3.2.2.4.2 (Email, Fax, SMS, or Postal Mail to Domain Contact) and 3.2.2.4.15 (Phone Contact with Domain Contact)
Key CA requirements and transition dates (as stated in the ballot materials)
- Effective January 15, 2025
- CAs MUST NOT rely on Domain Contact information obtained using an HTTPS website, regardless of whether previously obtained information is within the allowed reuse period
- When obtaining Domain Contact information for a requested Domain Name using WHOIS (RFC 3912), the CA MUST query IANA's WHOIS server and follow referrals to the appropriate WHOIS server
- When obtaining Domain Contact information for a requested Domain Name using RDAP (RFC 7482), the CA MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain
- CAs MUST NOT rely on cached WHOIS server information that is more than 48 hours old, or RDAP bootstrap data from IANA that is more than 48 hours old
- Effective July 15, 2025
- CAs MUST NOT issue Subscriber Certificates relying on Methods 3.2.2.4.2 or 3.2.2.4.15
- Prior validations using these methods and validation data gathered according to this method MUST NOT be used to issue new Subscriber Certificates
- Effective date
- 2025-01-15
- Voting opened
- 2024-10-31
- Voting closed
- 2024-11-07
- Discussion opened
- 2024-10-23
- Discussion closed
- 2024-10-31
2025-01-15 — CAs MUST NOT rely on Domain Contact information obtained using an HTTPS website; and when obtaining Domain Contact information via WHOIS (RFC 3912) or RDAP (RFC 7482), CAs MUST follow the specified IANA query/bootstrap and caching freshness restrictions. Applies to CAs when issuing Subscriber Certificates and when obtaining Domain Contact information for a requested Domain Name using HTTPS website-based Domain Contact information and WHOIS/RDAP processes described in the ballot materials
2025-07-15 — CAs MUST NOT issue Subscriber Certificates relying on Methods 3.2.2.4.2 or 3.2.2.4.15, and prior validations/data gathered using these methods MUST NOT be used to issue new Subscriber Certificates. Applies to CAs issuing Subscriber Certificates using Methods 3.2.2.4.2 or 3.2.2.4.15
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Proposers
Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign) and Pedro Fuentes (OISTE).
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot SC080v3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV MethodsBallot SC080v3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV MethodsVoting Results Certificate Issuers 24 votes in total: