[Skip navigation links]

Procedure for domain approval

AusCERT domain verification

The purpose of verifying domain ownership is to prevent the situation, either deliberate or inadvertent, wherein a Participant Organisation (PO) attempts to issue a certificate for a domain that it neither owns nor controls. The priority for AusCERT is to ensure that sufficient connection exists between details in the WHOIS record and the PO itself to prove that ownership or control of the domain is with the PO.

A similar process will apply to verifying ownership/control of an IP address.

Domain verification

AusCERT will follow these steps, in order of priority, to prove from WHOIS information that ownership and/or control of a domain resides with the PO (it is assumed that the PO has requested approval, either by adding the domain to the CSM or by making a request for AusCERT to do similar):

Step 1.

If either (or both) of the following circumstances are satisfied, the domain will be approved:

  1. Primary WHOIS data corresponds directly to the name of applying PO; that is, the PO's name is the same as the registration name.
    • Registrant
  2. Primary WHOIS data does not correspond to the of the applying PO [1], but secondary data exists that corresponds to an existing, approved domain for the PO. An acceptable combination of secondary data fields are:
    • Registrant Contact Email
    • Registrant Email
    • Admin Email
    • Name Server

     

    Step 2.

    If neither primary nor secondary WHOIS data correlates with the PO, domain approval will be deferred until one of the following is satisfied:

      1. AusCERT will ask the applying PO to arrange a change in WHOIS records. When successfully completed and 1 and/or 2 now applies, approve domain.
      2. AusCERT will perform domain control validation (DCV). Referring to the domain’s WHOIS record, AusCERT sends an email to one or more of the email addresses available in secondary WHOIS data to confirm that it is appropriate for the PO to issue certificates associated with that domain. An example of the email that will be sent is as follows:

        Dear <DOMAIN CONTACT>,
        As the CA for the AusCERT Certificate Service, we are attempting to verify ownership and/or control of <INSERT DOMAIN>.
        The <INSERT PO NAME> asserts that it has the right to issue certificates under the domain of <INSERT DOMAIN>.
        As a listed WHOIS contact for <INSERT DOMAIN>, please confirm by email reply that <INSERT PO NAME> is authorised to issue certificates for this domain.

        Regards,
        AusCERT Certificate Services

        If positive verification is provided, further correspondence may be undertaken to achieve a) prior to approving the domain.

      3. AusCERT will seek further assurance and verification from the PO that the domain is owned by PO. AusCERT will determine the validity of the application on a case by case basis and, at its discretion, approve or reject the application.

      The domain will be rejected in the following circumstances:

       

      1. Neither the primary nor secondary WHOIS data corresponds to the PO’s name or any existing, approved domain for the PO
        AND
      2. AusCERT has been unsuccessful in verifying domain ownership and/or control by the PO as a result of steps 2 (1), (2) or (3).

     

    Public IP address ownership verification

    If the following circumstances are satisfied, the public IP address will be approved and delegated to the PO within the CSM:

    An APNIC WHOIS search shows the following fields match the PO's name and address:

    Acceptable Primary data fields:

    netname:

    descr:

    address:

    The IP address delegation will be rejected if the above does not apply

     


    [1] AusCERT may, at its discretion, reject the domain application if the registrant is an existing PO or another HERS organisation, eligible for membership under the scheme. AusCERT may seek to have the Registrant data field changed to achieve primary approval in 1.