Knowledge Base

Possible end of life for using WHOIS to identity domain contacts

Ballot to prohibit the use of WHOIS for identifying domain contacts

Recently, a rogue WHOIS server enabled researchers from WatchTowr Labs to exploit WHOIS to obtain fraudulently issued TLS certificates. In the CA/Browser forum*, this event led Google to propose a ballot to sunset the use of WHOIS for identifying domain contacts. The ballot would set the following prohibitions starting 1 November 2024:

• Prohibit certificate authorities (CAs) from using WHOIS to identify domain contacts. 
  
• Prohibit CAs from reusing domain validation where WHOIS is the source of truth for a domain contact.

DigiCert does not support the ballot as currently written, as it does not yet incorporate the sensible feedback provided by ICANN nor the more reasonable timeline proposed by Amazon. We do support moving away from the obsolete WHOIS protocol to the more modern RDAP protocol while giving customers a reasonable amount of time to migrate and update their validation infrastructure. While we appreciate Google’s recent statements that they may be flexible on the timeline, customers need to be aware that this ballot will likely pass in some form.

*Note: In digital trust, the Certificate Authority/Browser Forum (CA/B Forum) writes the Baseline Requirements for the issuance and management of publicly trusted digital certificates, such as TLS, code signing, and S/MIME certificates. Enforcement of the requirements is handled by browser root programs.

How does this affect me?

If the ballot passes, starting 1 November 2024 at 00:00 UTC, you could no longer use the WHOIS-based email domain control validation (DCV) method to demonstrate control over a domain. For this DCV method, DigiCert sends an authorization email to the registered owners of the public domain, as shown in the domain's WHOIS record.

Additionally, starting 1 November 2024, CAs, such as DigiCert, could not reuse existing WHOIS-based domain validation to reissue or renew a certificate, forcing you to revalidate the domains using a different DCV method.

What do I need to do?

As soon as 1 November 2024, you would have to use a different DCV method to demonstrate control over your domains. You can still use the email DCV method; however, you must use the Constructed Email or Email to DNS TXT contact email DCV method.

DigiCert Recommendation

The industry is aligned with moving away from using WHOIS to identify domain contacts. So, DigiCert recommends that those using the WHOIS-based Email DCV method update their domain validation processes to use one of the other supported DCV methods as soon as possible.

DigiCert currently supports these other DCV Methods:

• Email
  • Constructed Email 
    For the Constructed Email method, DigiCert sends the authorization email to five constructed email addresses for the domain: admin, administrator, webmaster, hostmaster, and postmaster @[domain_name].
  • Email to DNS TXT contact
    For the email to DNS TXT contact DCV method, DigiCert sends an authorization email to the email addresses found in the DNS TXT record on the _validation-contactemail subdomain of the domain you are demonstrating control over. 
     
• DNS CNAME
  Add a DigiCert-generated random value to the domain's DNS as a CNAME record. Then, add dcv.digicert.com as the CNAME target.
  
  
• DNS TXT
  Add a DigiCert-generated random value to the domain's DNS as a TXT record.
  
  
• HTTP Practical Demonstration
  Host a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt.
  
  
• HTTP Practical Demonstration with unique filename
  Host a file with a random filename that contains a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/{unique-filename}.txt.

Need help?

If you have questions or concerns about this ballot prohibiting the use of WHOIS for identifying domain contacts, please contact your account manager or DigiCert Support immediately - Contact DigiCert.

References

• Rogue WHOIS server gives researcher superpowers no one should ever have.
• Welcome to the CA/Browser Forum
• Supported DCV methods for validating the domains