[Skip navigation links]

Domain Control Validation (DCV) changes

Important Announcement

Comodo is making some functional improvements to the AusCERT Certificate Service Manager (CSM) which will help streamline how Domain Control Validation (DCV) occurs. This will make the DCV process more efficient and easier for you, and ultimately help ensure only authorised parties issue certificates for your domains.

Comodo and DCV

DCV is a process all Certificate Authorities are required to follow as part of the CA/Browser Forum guidelines. [1] DCV increases the security for POs to help prevent unauthorised parties from obtaining a valid certificate for domains owned by you. Hence all SSL certificate requests must pass DCV by Comodo before they are issued. Comodo has developed procedures for DCV [2] and has been applying them since September 2011.

What is changing?

The requirement for DCV remains unchanged for every SSL certificate. However, with effect from 14 July 2012, new DCV functionality will be enabled in the AusCERT CSM.

From that time, RAOs and DRAOs will be able to specify their preferred method of DCV within the CSM and initiate the DCV process via the CSM. Under current arrangements, sometimes there is a lack of clarity for POs as to which of the DCV methods is being used by Comodo or how the DCV approval process is progressing, due to the way that the Domain Registry for .au withholds contact email addresses from direct WHOIS requests. Enabling DCV functionality in the CSM will help RAOs and DRAOs to more easily understand and follow the steps necessary to facilitate and complete the DCV process for their particular domains.

For an overview of the new DCV features in the CSM refer to the following sections of the RAO Administrator Guide [3]:

  • 4.4.2.1 Domain area
  • 4.4.2.1.2 DCV
  • 4.4.2.2.2 Validating the Domain
  • 4.4.2.2.2.1 Changing DCV method for Validation of Pending Domains

Is there an alternative to DCV?

Under most circumstances, every certificate must pass DCV using one of the three methods described. [4] However, Comodo recognises that your organisation may be ordering a large number of certificates for various domains and sub-domains.

Therefore, rather than require you to provide evidence of domain control or ownership at the time of a certificate request, Comodo is providing the opportunity to pre-authorise many domains, by completing and signing a Domain Authorisation Letter (DAL), which can be downloaded from Comodo. Comodo will then lock verification of that domain to your account for a period not to exceed 36 months, during which time you will not need to re-verify domain control.

If I wish to complete a DAL, what action is required?

As a PO, if you wish to use a DAL to pre-authorise your domains for SSL certificate issuance, please complete and return it to AusCERT CS [5] by noon Friday, 29 June 2012. Please only include primary registered domains you own, eg, example.edu.au. Do not include sub-domains, eg, mailserver.example.edu.au.

Please note that it won't be possible to use the DAL to waive normal DCV requirements after this time. All domains within your CSM account that are not listed in a previously submitted DAL must pass DCV before SSL certificates can be issued for these domains.

What action is required from 14 July 2012?

Comodo will activate DCV within your CSM account by 14 July 2012. To help ensure DCV proceeds as efficiently as possible, make sure that you specify your preferred method of DCV, and follow the steps within the CSM to facilitate that process. For an overview of how to manage DCV within the CSM refer to the following sections [6]:

  • 4.4.2.1 Domain area
  • 4.4.2.1.2 DCV
  • 4.4.2.2.2 Validating the Domain
  • 4.4.2.2.2.1 Changing DCV method for Validation of Pending Domains

Where applicable, make sure other affected parties involved in the management, or hosting, of your domains and/or certificates (ie, parties who have access to the selected email address, DNS server, or hosting server) are also aware of what is required of them to facilitate the completion of DCV.

What if I don't specify a method of DCV within the CSM?

In the absence of a preferred method, Comodo will use the email method for DCV by default. Will I need to undergo DCV for all domains for which I already have AusCERT CS certificates issued? You may need to undergo DCV when SSL certificates for those domains are renewed to ensure you are still the owner of that domain.

If you have any questions and/or issues about this matter, please contact AusCERT Certificate Service on cs@auscert.org.au.

 


[1] Refer to the CA/Browser Forum, Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0, Section 11, Verification Practices, http://cabforum.org/documents.html

[2] https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1367

[3] AusCERT CSM RAO Administrator Guide, version 2.8.052312 for Software Version 2.8.26

[4] https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1367

[5] Email a scanned copy to cs@auscert.org.au or fax: +61 7 3365 7031

[6] AusCERT CSM RAO Administrator Guide, version 2.8.052312 for Software Version 2.8.26