CA / B Forum Approves New Method for Verifying Domain Control Using ALPN Extension

The CA / B Forum, the SSL industry regulator, has adopted new Ballot SC33 by a majority vote.

As the proposal suggests, the method for verifying domain ownership in 3.2.2.4.10 (using random numbers) is now deprecated. Instead, a new clause 3.2.2.4.20 has been introduced, which allows you to check the ownership of the FQDN using the ALPN extension.

Reasons for the changes

In January 2018, a vulnerability was discovered in the ACME TLS-SNI-01 domain validation method. This method was used as the main one for the implementation of paragraph 3.2.2.4.10 and was applied despite the existing problems. ALPN is an alternative to the ACME TLS-SNI-01 validation; it was standardised by the IETF as RFC 8737. For this reason, the CA / B Forum decided to abandon the potentially insecure method 3.2.2.4.10 in favour of the new method 3.2.2.4.20.

The proposal lacks any details about the transition period specified for the validation method 3.2.2.4.10. All previous checks performed using this method, as well as the validation data obtained using it, should not be used for issuing certificates.

This proposal also restricts the use of old validated FQDNs - new validations are required for different subdomains, and wildcard validations are not allowed.

Subscribe to our newsletter, as well as to our social network groups, to stay up to date with news from the world of SSL!