The certificate authority ecosystem is undergoing a significant security upgrade. Through three CA/Browser Forum ballots (SC-080, SC-090, and SC-091), the industry has agreed to sunset 11 legacy Domain Control Validation (DCV) methods, replacing them with modern, automated alternatives. The transition will be phased, with full enforcement targeted for March 2028.
What Is Being Retired
Domain Control Validation is the process by which a Certification Authority (CA) confirms that a certificate applicant actually controls the domain in question. Without rigorous validation, an attacker could obtain a legitimate-looking certificate for a domain they do not own and use it to impersonate sites or intercept traffic.
The methods being retired fall into three categories:
- Email-based methods: Email, Fax, SMS, or Postal Mail to Domain Contact; Email to IP Address Contact; Constructed Email to Domain Contact; Email to DNS CAA Contact; Email to DNS TXT Contact
- Phone-based methods: Phone Contact with Domain Contact; Phone Contact with DNS TXT Record; Phone Contact; Phone Contact with DNS CAA; Phone Contact with IP Address Contact
- Reverse lookup: IP Address Reverse Address Lookup
These approaches rely on indirect verification signals such as WHOIS contact data, inherited infrastructure, or complex phone and email ecosystems. All have demonstrated exploitable weaknesses and are being replaced by challenge-response mechanisms, such as placing a CA-provided random value in a DNS TXT record, that are harder to spoof and straightforward to audit.
Why This Matters for Security Teams
For practitioners, the practical significance is twofold. First, stale or third-party-controlled data sources (WHOIS records, legacy contact emails) can be manipulated or fall out of date, creating windows for fraudulent certificate issuance. Retiring these methods closes those windows at the ecosystem level, not just for individual CAs.
Second, the move favors automation-friendly protocols such as ACME, which enable faster certificate lifecycle management and reduce the risk of human error in issuance and renewal workflows. Organizations still relying on manual or email-based certificate procurement processes should treat the March 2028 deadline as a planning horizon for migrating to automated, standards-based DCV methods.
Broader Context
The initiative is part of Google’s “Moving Forward, Together” public roadmap, launched in 2022, which aims to modernize web PKI infrastructure. The recent CA/Browser Forum ballots convert that roadmap’s aspirational goals into binding TLS Baseline Requirements. For end users the changes are invisible, but for anyone responsible for certificate management, the message is clear: automated, cryptographically verifiable validation is now the industry standard, and legacy methods have an expiration date.
