Why doesn't Let's Encrypt use WHOIS information for domain validation?

Using the DNS based validation mechanism, why wouldn’t you use the WHOIS information associated with the domain to fill in ownership information? And when you combine this with a DUNS number you can effectively do an EV certificate or even a code signing cert.

Whois has no standardized format yet and is not available for all tlds.

2 Likes

Many registrars do not validate data you put in your domain WHOIS info. Hence, you cannot rely on ownership info found there. I believe that CAs are prohibited (by CA/Browser Forum Baseline Requirements and EV Guidelines) from relying on third-party for any kind of validation and are required to perform all the checks themselves.

@mkwm is correct. The EV rules are described in

They wouldn’t allow using whois data this way. Nor would the Baseline Requirements at

2 Likes

a) https://au.godaddy.com/help/add-private-registration-420
b) this was a methodology that was used by CAs previously but this leads to lots of problems (such as social engineering attacks)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.