![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Ассоциация CA/Browser Forum, выступающая площадкой для совместного принятия решений с учётом интересов производителей браузеров и удостоверяющих центров, утвердила новые требования к организациям, выдающим сертификаты для HTTPS. В новых требованиях объявлены устаревшими 11 методов проверки владения доменом, для которого выдаётся сертификат. Прекращение поддержки устаревших методов будет производиться поэтапно до марта 2028 года. В качестве причин прекращения поддержки отмечается фокусирование внимания на автоматически выполняемых и криптографически верифицируемых методах проверки.
via https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html
Raising the floor of security
The recently passed CA/Browser Forum Server Certificate Working Group Ballots introduce a phased sunset of the following Domain Control Validation methods. Alternative existing methods offer stronger security assurances against attackers trying to obtain fraudulent certificates – and the alternative methods are getting stronger over time, too.
Sunsetted methods relying on email:
Email, Fax, SMS, or Postal Mail to Domain Contact
Email, Fax, SMS, or Postal Mail to IP Address Contact
Constructed Email to Domain Contact
Email to DNS CAA Contact
Email to DNS TXT Contact
Sunsetted methods relying on phone:
Phone Contact with Domain Contact
Phone Contact with DNS TXT Record Phone Contact
Phone Contact with DNS CAA Phone Contact
Phone Contact with IP Address Contact
Sunsetted method relying on a reverse lookup:
IP Address
Reverse Address Lookup
via https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html
Raising the floor of security
The recently passed CA/Browser Forum Server Certificate Working Group Ballots introduce a phased sunset of the following Domain Control Validation methods. Alternative existing methods offer stronger security assurances against attackers trying to obtain fraudulent certificates – and the alternative methods are getting stronger over time, too.
Sunsetted methods relying on email:
Email, Fax, SMS, or Postal Mail to Domain Contact
Email, Fax, SMS, or Postal Mail to IP Address Contact
Constructed Email to Domain Contact
Email to DNS CAA Contact
Email to DNS TXT Contact
Sunsetted methods relying on phone:
Phone Contact with Domain Contact
Phone Contact with DNS TXT Record Phone Contact
Phone Contact with DNS CAA Phone Contact
Phone Contact with IP Address Contact
Sunsetted method relying on a reverse lookup:
IP Address
Reverse Address Lookup
