Feedback Requested: Modernize EVG Domain Ownership Reuse Requirement to Reference Section 3.2.2.7
150 views
Skip to first unread message
Dustin Hollenback
Mar 19, 2026, 7:46:43 PMMar 19
to valid...@groups.cabforum.org
Hello all,
The Extended Validation Guidelines (EVGs) currently require CAs to perform a WHOIS check when re‑using previously completed domain‑related identity verification for existing EV Subscribers. This requirement comes from older validation practices that depended on public WHOIS data to confirm registrant identity and detect domain transfers.
Today, authoritative domain registration information is normally obtained through RDAP, registry systems, or registrar‑provided data. In many cases, WHOIS data is redacted, inconsistent, or unavailable. As a result, the EVG requirement to perform a WHOIS check during reuse is outdated, operationally difficult, and inconsistent with how domain registration data is validated under the Baseline Requirements (specifically BR Section 3.2.2.7).
This proposed change updates the EVGs so that reuse of domain‑related identity information relies on domain registration data consistent with EVG Section 3.2.2.7, without introducing any EV‑specific mechanisms beyond what the BRs already require. It also clarifies that the CA must confirm that the Domain Name remains registered to the same Legal Entity previously validated for the EV Certificate.
Draft change for review:
https://github.com/cabforum/servercert/pull/658/changes#diff-f7368cf58de0586cb0ad80e242205ab3272314af71f4115b99187f49521da529
Feedback is appreciated.
Thank you,
Dustin
The Extended Validation Guidelines (EVGs) currently require CAs to perform a WHOIS check when re‑using previously completed domain‑related identity verification for existing EV Subscribers. This requirement comes from older validation practices that depended on public WHOIS data to confirm registrant identity and detect domain transfers.
Today, authoritative domain registration information is normally obtained through RDAP, registry systems, or registrar‑provided data. In many cases, WHOIS data is redacted, inconsistent, or unavailable. As a result, the EVG requirement to perform a WHOIS check during reuse is outdated, operationally difficult, and inconsistent with how domain registration data is validated under the Baseline Requirements (specifically BR Section 3.2.2.7).
This proposed change updates the EVGs so that reuse of domain‑related identity information relies on domain registration data consistent with EVG Section 3.2.2.7, without introducing any EV‑specific mechanisms beyond what the BRs already require. It also clarifies that the CA must confirm that the Domain Name remains registered to the same Legal Entity previously validated for the EV Certificate.
Draft change for review:
https://github.com/cabforum/servercert/pull/658/changes#diff-f7368cf58de0586cb0ad80e242205ab3272314af71f4115b99187f49521da529
Feedback is appreciated.
Thank you,
Dustin
Adriano Santoni
Mar 20, 2026, 5:07:21 AMMar 20
to valid...@groups.cabforum.org
I agree, that's fine with me.
Adriano
Martijn Katerbarg
Mar 20, 2026, 5:24:21 AMMar 20
to valid...@groups.cabforum.org
I just want to point out that, where-ever WHOIS data is redacted, that same information will also be redacted throughou the RDAP protocol.
Having said that, the proposal seems to do away with both options and focus on DCV itself, which I agree is a good step forward.
--
You received this message because you are subscribed to the Google Groups "Validation Subcommittee (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to validation+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/22A67C01-F436-4233-93BE-E83CE3BD28EB%40apple.com.
Reply all
Reply to author
Forward
0 new messages