Why doesn't Let's Encrypt use WHOIS information for domain validation?


#1

Using the DNS based validation mechanism, why wouldn’t you use the WHOIS information associated with the domain to fill in ownership information? And when you combine this with a DUNS number you can effectively do an EV certificate or even a code signing cert.


How do you confirm the person asking for the certificate actually owns the domain?
#2

Whois has no standardized format yet and is not available for all tlds.


#3

Many registrars do not validate data you put in your domain WHOIS info. Hence, you cannot rely on ownership info found there. I believe that CAs are prohibited (by CA/Browser Forum Baseline Requirements and EV Guidelines) from relying on third-party for any kind of validation and are required to perform all the checks themselves.


#4

@mkwm is correct. The EV rules are described in

They wouldn’t allow using whois data this way. Nor would the Baseline Requirements at


#5

a) https://au.godaddy.com/help/add-private-registration-420
b) this was a methodology that was used by CAs previously but this leads to lots of problems (such as social engineering attacks)


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.