copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » AusCERT PKI ... » Procedure for domain approval
 

Procedure for domain approval
Date: 22 December 2011

Click here for printable version

AusCERT domain verification

The purpose of verifying domain ownership is to prevent the situation, either deliberate or inadvertent, wherein a Participant Organisation (PO) attempts to issue a certificate for a domain that it neither owns nor controls. The priority for AusCERT is to ensure that sufficient connection exists between details in the WHOIS record and the PO itself to prove that ownership or control of the domain is with the PO.

AusCERT will follow these steps, in order of priority, to prove from WHOIS information that ownership and/or control of a domain resides with the PO (it is assumed that the PO has requested approval, either by adding the domain to the CSM or by making a request for AusCERT to do similar):

1. If either (or both) of the following circumstances are satisfied, the domain will be approved:

a) Primary WHOIS data corresponds directly to the name of the applying PO ie the PO’s name is the same as the registrant name.

Acceptable primary data fields:

Registrant


b) Primary WHOIS data does not correspond to the name of the applying PO[1], but secondary data exist that correspond to an existing, approved domain for the PO. An acceptable combination of secondary data fields (TBD by AusCERT):

Registrant Contact Email
Registrant Email
Admin Email
Tech Contact Email
Name Server

2. If neither primary nor secondary WHOIS data correlates with the PO, domain approval will be deferred until one of the following is satisfied:

a) AusCERT will ask the applying PO to arrange a change in WHOIS records. When successfully completed and 1 and/or 2 now applies, approve domain.

b) AusCERT will perform domain control validation (DCV). Referring to the domain’s WHOIS record, AusCERT sends an email to one or more of the email addresses available in secondary WHOIS data to confirm that it is appropriate for the PO to issue certificates associated with that domain. An example of the email that will be sent is as follows:

Dear <DOMAIN CONTACT>,

As the CA for the AusCERT Certificate Service, we are attempting to verify ownership and/or control of <INSERT DOMAIN>.

The <INSERT PO NAME> asserts that it has the right to issue certificates under the domain of <INSERT DOMAIN>.

As a listed WHOIS contact for <INSERT DOMAIN>, please confirm by email reply that <INSERT PO NAME> is authorised to issue certificates for this domain.

Regards,
AusCERT Certificate Services

If positive verification is provided, further correspondence may be undertaken to achieve a) prior to approving the domain.

c) AusCERT will seek further assurance and verification from the PO that the domain is owned by PO. AusCERT will determine the validity of the application on a case by case basis and, at its discretion, approve or reject the application.

In the following circumstances, the domain will be rejected:

a)      Neither the primary nor secondary WHOIS data corresponds to the PO’s name or any existing, approved domain for the PO
AND

b)      AusCERT has been unsuccessful in verifying domain ownership and/or control by the PO as a result of steps 2a, b or c.

 

 


[1] AusCERT may, at its discretion, reject the domain application if the registrant is an existing PO or another HERS organisation, eligible for membership under the scheme. AusCERT may seek to have the Registrant data field changed to achieve primary approval in 1.


Comments? Click here http://www.auscert.org.au/render.html?cid=11262&it=15255