Time’s Ticking: WHOIS Email Validation Ends. Life Cycles Shorten. Are You Ready?

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Time's Ticking: WHOIS Email Validation Ends. Life Cycles Shorten. Are you ready?" My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Mark Flegg. Mark is CSC's Senior Director of Technology Security Products and Services and is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. To raise awareness of digital threats to businesses, Mark presents programs dealing with domain security and cybersecurity assets at leading industry conferences and events. And with that, let's welcome Mark.

Mark: Thanks very much, Christy. Hi, everybody. Thanks for attending today. This is a an interesting topic, and I'm going to go kind of straight into it because in April, the Certificate Authority and Browser Forum ballot SC081 was passed, which paved the way for reduced lifetime in certificates.

So today, we all enjoy one-year certificates. When I started in this industry many, many years ago, you could actually buy a publicly trusted certificate for 10 years. And that dropped to five, then four, three, two, one. And here we are talking about ultimately, in less than four years, dropping to 47 days. So you can see the timelines there. And I think everybody is familiar March of next year we'll drop to essentially six months. A year later, we drop to essentially 90 days. You have grace periods built in for replacing those certificates.

But the interesting one for me is what's happening in that right-hand column with what we call domain control validation or DCV for short. And March 15, 2028, that's actually dropping to 10 days. It no longer stays in line with the certificate issuance timelines. And then, obviously, in March 2029, we drop to 47 days with a 10-day re-use period for that DCV, domain control validation.

This is going to, obviously, create friction within your organization. If you think about it, today you're replacing a certificate once a year. Well, that's going to be eight times a year in less than four years time. So the good news is there are solutions to this. And even better news that I'm going to talk to you about today is that there are solutions for DCV as well.

So before we get into that, I think a very important thing to highlight, and hopefully you're all aware of it and you've taken steps, but today you've got kind of three validation methods for domain control. And again, for those that aren't that familiar, domain control validation is something that we must do with every single certificate that we request. And that's simply proving that you are in control of that domain name.

Those methods, one of them is WHOIS email validation. So what the certificate authority will do is look at the public WHOIS record, and they will take the registrant, for example, email address, and they will send an email to it with a link to say you either approve or reject the issuance of this certificate. If you click Approve, great, that passes DCV. They can then get on to the next step in the process and get closer towards issuing that certificate for you.

Last year, there was a cyber company and on their blog they reported that they were able to pick up a dropped domain name that prior use was for a registry, and they were using that domain name for their public WHOIS, so people could connect and look at the WHOIS information. We're all duty bound to be able to provide that information. And what happened is they set up that domain as a WHOIS server and fired off requests to a lot of CAs to see whether or not they would get emails to issue certificates. And they did set themselves, obviously, as the email address on the WHOIS records, fictitious ones that they created. And what happened is they did get emails. And that was startling that a decommissioned WHOIS server was still being used by different certificate authorities around the world.

So they were good citizens. They reported it to the CA/B Forum, Certificate Authority and Browsers, who took immediate action to this and said, "Yeah, this is not proving that you're in control of a domain name at all." And initially, they wanted to remove this method on November 1st of last year. Well, clearly, there are a lot of organizations that use this method, and let's just say a few arms were thrown up in the air. So they delayed it till July 15th of this year, and that's the time when certificate authorities will cease to issue certs based on a WHOIS email validation as part of domain control validation.

Now we're taking it a month earlier. We want to make sure that all of our customers are in compliance and there's no gray area. So June 15th, we will cease to support that method.

So if we look at what the alternatives are, so you've got the three there that are in effect today. So you've got your WHOIS email.

You've got your web token. So again, when you request the certificate, you can say, "I want to qualify via a web token." You'll be given a key in return, and then you would add that to your website. So the domain name cscglobal.com/ and then put the token in. And that's proving that you're in control of the domain. The certificate authority can read it and see that you've got that unique token under that cscglobal.com domain name, and they'll be quite happy to issue a certificate.

Same for a DNS record. Whether it's a CNAME or a TXT record, same principle. You request a certificate. You say, "I want to qualify via a DNS token." You will get the key back, and you publish that as a CNAME or TXT record on the zone. It's publicly accessible. The CA can verify it, see their unique token. They'll be quite happy to issue a certificate.

So WHOIS email is going away, which leaves us with web token and DNS record. Now, for me, web tokens are not preferred. For those of you that are familiar with subdomain takeover or subdomain hijacking, if somebody gets hold of one of your abandoned subdomains and controls the content, and we have done other webinars on this that you can look up, then they can issue a certificate, and that'll lend authenticity to the fake website that you're inadvertently still pointing to. So that's not our preferred method.

Our preferred is DNS. If you have access to DNS, that absolutely categorically proves you're in control of the domain name. So this is the route that that CSC have gone down with our DCV as a service that we'll get on to shortly.

There is an impact to us all. So the companies that are using this validation method, you really need to take an action now, if you have not already. I'm hoping that you have. So you can see the timelines there where we need the alternate validation methods. And again, this is going to become even more important when we look at the future and what is happening with the certificate lifetime reduction. So for the next couple of years, at least 200 days, 100 days, yeah, that's in line with the certificate.

But when you get down to 2028 and you get to 10 days, what this renders kind of obsolete is with some CAs you can prevalidate, and I'm sure some of you are doing that already. So when it comes to issuing the certificate, it's pretty instantaneous. That's not going to help us. When you can have a certificate that lasts for 90 days, but your DCV only lasts for 10, you don't want to keep doing that. So it's going to be expiration date minus 10 days or when you're ready to issue it is when you have to do that. And when we get to 47 days, even worse. You're not going to revalidate that five times so that it's in its correct usable period to issue the certificate.

So the trick here and the way to future-proof it is to be able to do this DCV in real time. So this is where we introduce our new service Domain Control Validation as a Service, so DCVaaS. We are the first to launch this product. It's a DNS record validation that only requires a one-time deployment, and I'll get into more detail on that. And then any subsequent renewals, where we always have to do the DCV check, we automate that on your behalf.

So we take the workload away from you. And this is DNS agnostic. We don't care which DNS provider you are using. We can give you that one-time CNAME record and just apply it to any zone that you would ever want a certificate for. The caveat, of course, is this is only available for our CSC Trusted Secure brand of certificates. And the even better news is it's a free service. It's available today through our API. And then May 29th is when we will release this in our user interface.

So how does it work? What's this guy talking about? Well, if you think about the steps that we take to register or request a certificate, the first thing starts with you generate your CSR and you place an order. And depending on your validation method that you select when you're placing your order, you have to perform that DCV, that domain control validation, so web token, DNS token, or up until June 15th WHOIS email record And once you've done that, then we can issue the certificate. We do our checks and balances, make sure that you're in control, and then we'll issue the certificate for you. And this has to happen every single time you want to renew the certificate.

What we're planning to do is a one-time setup. So we would onboard our clients for DCV as a Service. And as I say, that introduces a CNAME record. And the job of that CNAME record is you put it on all of your domains, all your zones, and it essentially points back to a domain name that CSC controls, and that domain name is cscdcv.com. It does what it says. And when you request the certificate, so again looking at what we did previously, you can see the shift here, where CSC is taking on the work. When you request that certificate, you're going to say I want to use DCV as a Service. We'll say great. We go and get the token from the CA. We publish it on cscdcv.com as a TXT record. And then the CA will do their checks, and they will go to the domain name for the certificate that was requested. They will see the CNAME_PKI validation, whatever it might be. And that'll point them to cscdcv.com. And then they can read the TXT record, and that has the unique token. Then we can issue the certificate.

So it's a very, very simple process. But all of the kind of transactional, if that's the right thing to say when we're renewing our certificates, the work, the validation that has to be done behind the scenes, we're just doing that for you. There's no need for you to worry about figuring out how to get a DNS token on or a web token. WHOIS email will have disappeared. We're doing what we love doing for our clients. We're simplifying workflows, and we're doing what we can with technology and innovation to make your lives easier.

And again, think about this every subsequent renewal. When we get down to 47 days, it needs to be done in real time. And we can absolutely do this. We've had customers that ran their own DNS, where they would request DNS tokens and they would have to go off and publish it. But they employ ticketing systems, and they have to wait. And we had one client where we took them from six hours to get a certificate and the variability was on their side in terms of how long it took to get that ticket executed for the CNAME, we've got them down to under five minutes now because of the DCV as a Service.

So again, I really want to stress this point. This is a once-and-done setup for you. You simply add the CNAME. You set it, you forget it. Don't ever worry about it again because all it's doing is pointing back to cscdcv.com. And then every time, we're doing the rest of the work for you. So there's no transactional effort needed. You just say, "Hey, I want a certificate," and we take care of the domain control validation for you.

So hopefully, the advantages have already come across here. It's much simplified validation workflows. There's nothing for you to do, other than the onboarding step. It will result in faster certificate issuance. You're not waiting internally for people to populate things at a transactional level or renewal time. It definitely reduces your administrative burden. And having all of this, again, DNS agnostic, you can apply it to everything that you have. It doesn't matter where the domain is, what DNS it's on. It's the same CNAME. And it future-proofs against the industry changes. So you've seen WHOIS email validation is going away.

You've seen the drop in the lifetime for DCV, which is way more aggressive, 10 days versus 47 days for the certificate. So this is a super important part. And I think you know whilst we do like to plan and manage, SSL is one of those things that it's always the last minute. So now that we can do this in real time for you, I think that's going to save a lot of embarrassment when these start expiring and we forget because we do, we're human.

If we just talk about some kind of key considerations in certificate management, flexibility is key. I know and I've spoken to a lot of our customers. Infrastructure that we have isn't just one single infrastructure. It's made up of many, many different areas and different versions. So having a wide product range, tailored solutions is super important because I don't think there's an out-of-the-box solution that can play well with everything. It does need to be tailored for your environment.

The agility is critical. As I said, we leave certs till the last minute. And maybe we're registering a new domain name, and we need it to be live ASAP. Well, if you're doing real-time domain control validation, that's not an issue. So it gives you that speed and ease and provision alternative brands instantly.

And then the control part of it, we like providing options for our clients. So whether it's self-service, fully-managed, automated, or you want just centralized management, again we can help you with that, and we'd be more than happy to talk to you about it.

So in conclusion, this is kind of the evolution of our security focus, the things that we want to do for our clients. You can see we've got a good track record there. I'll highlight a couple. We were the first in the industry to mandate two-factor authentication back in 2017. I mean, that's table stakes today. You wouldn't expect a bank to not have that. So why would you not expect your domain registrar that covers SSL and DNS as well not to have that? And obviously, last year, we launched our DomainSec user interface. Hopefully, some of you have seen that or are using that today. And then, obviously, this year our DCV as a Service. We'll continue to innovate. We'll continue to try and make your lives easier, as best we can, dealing with the challenging changes in the industries. We'll be at the forefront of that.