Buypass ID Manager with improved support for domain validation from 14 June 2023
Introduction
We are making changes to Buypass ID Manager to make it easier and more efficient for users to receive TLS certificates. We do this by automating and offering more self-service of what we call domain validation. We check that the person applying for a TLS certificate actually has the right to use the domain name that is to be included in the certificate.
To be able to apply for a TLS certificate from Buypass, the organization that the certificate is to be issued to must have entered into a Subscriber Agreement and we will henceforth use the term Subscriber to refer to the organization who has entered into such an agreement and to whom the certificate is to be issued. The person applying for TLS certificates in Buypass ID Manager represents one or more such subscribers.
When issuing TLS certificates we must comply to requirements from CA/Browser forum, which we are required to follow by the browsers. Domain owners must be assured that their domains are only used in TLS certificates if the representatives controlling their domains have given their consent. There are many ways in which this can be done, but this must be done according to the requirements mentioned.
Methods that can be used for domain validation include:
email to domain contact; an email to a representative for the domain owner who can approve the use of the domain
use of DNS; we ask the person applying for the certificate to ensure that a code we generate is published in a DNS record as proof that the domain can be used
Once we have verified that the domain can be used by the Subscriber, we can issue certificates to the Subscriber with the relevant domain included. Such approval can be reused for up to 398 days in accordance with the requirements.
What happens now?
At this time, we make some choices on behalf of the users (Subscribers) regarding how to perform domain validation for domains that are to be included in certificates applied for. This is described in more detail in the next chapters.
Content:
Known bugs to be fixed:
Renewals does not add remaining lifetime of the renewed certificate
Lifetime of replacements is 1 year, should have the same expiry date as the replaced certificate
Certificate email’s subject does not contain the CN-field
Domain validation by email to domain contact
For Norwegian domains (ending with '.no') we do a lookup against NORID (which runs the register for Norwegian domain names) to find contact information for the domain owner. We use the email address fetched in the lookup as a domain contact to request authorization for the Subscriber to use the domain.
For all other domains, we use a predefined email address as domain contact. We use hostmaster@<registered domain>, where <registered domain> is the part of a domain name found in registries such as NORID. For example, domain names such as ‘www.buypass.no’ and 'api.acme.buypass.no' will both use the same <registered domain> = 'buypass.no'.
We send an email to the domain contact (for each registered domain to be used in the certificate) and request authorization for a Subscriber to use the domain. An approval authorizes the Subscriber to use the domain, and such approval may be reused for up to 398 days. The Subscriber can then apply for certificates on the same domain until this approval expires, without us requesting new authorization. This is in accordance with the requirements and contributes to a smooth process for all parties.
A domain contact may approve or reject such an authorization request for a Subscriber to use the domain. If the domain contact rejects such a request, there is little we can do and in that case the Subscriber should contact the domain owner to clarify this relation.
It is important to be aware that such authorization is given to a defined Subscriber who has entered into a Subscriber Agreement with Buypass. The authorization is not automatically given to the organization that has entered into such an agreement, only to the specific Subscriber that the certificate is to be issued to. It is not possible to transfer such authorization to other Subscribers that the organization may have.
For each email sent to domain contact, we will also notify the person who applied for the certificate so that you know what is happening. In this email we will explain that such authorization could affect the certificate’s delivery time. These are circumstances beyond our control as certificate issuer.
Consequences of this change
We will enable this domain validation for all TLS certificates applied for in Buypass ID Manager from 14 June 2023.
We will continue to reuse existing domain validations for already authorized domains until these expire in accordance with current practice. For all other domains, we will, as a general rule, automatically send emails to domain contacts as part of the automation and self-service of TLS certificate applications. However, we introduce an exception to this general rule - see Domain validation by DNS below.
Many of you already use manual variants of this type of domain validation where we send an email to a domain contact after a dialogue with you. The domain contact must then approve or reject such an authorization request by replying to the email. This will now be replaced with the solution described above.
To make this process as effective as possible, please ensure that the domain contacts we use are aware of this and can react quickly on authorization requests.
Domain validation by DNS
Some of you use DNS where you receive a code from us which you must ask the DNS operator who controls the domain to insert into a DNS TXT record. We look up the DNS and verify that the code has actually been published in DNS and then use this to confirm that the Subscriber has been authorized to use the domain by a representative of the domain owner (the DNS operator).
At this time, we will not offer automated support domain validation by DNS, but we will ensure that those of you who have used domain validation by DNS in the past will have an opportunity to continue to use this. Here we make an exception to the general rule of domain validation via email. We will instead implement a manual domain validation using DNS in the same way as before. If you receive an email from us asking you to enter such a code into DNS, this is because you have been identified as a user of DNS for domain validation and we assume that you wish to continue with this. If this is not correct and you prefer domain validation via email, then you must contact us and we will make sure that this is handled.
What happens next?
In the next phase, we will offer users greater flexibility. We will offer a wider range of domain validation methods and enable users to choose the method and preferred email addresses themselves.
More information about domain validation
For more information on which domain validation methods certificate issuers can use, see CA/Browser forum Baseline Requirements chapter 3.2.2.4: https://cabforum.org/baseline-requirements-documents/.
Q&A
Spørsmål | Svar |
What is domain contact for .no domain names? | Domain contact in NORID, registered as 'registrant email (email address for domain owner). See https://www.norid.no/no/domeneoppslag/hvem-har-domenenavnet/. Domain contact for buypass.no will be legal-contact@buypass.no: 
|
What is domain contact for other domain names than .no? | For domain names other than .no the domain contact will be hostmaster@<registered domain>. Domain contact for www.buypass.com will be hostmaster@buypass.com. |
What to do if I am unsure that the domain contact for .no domain names will be able to respond? | Get in touch with domain owner/domain contact and inform about how Buypass will perform domain validation. If necessary, request that the email address be changed to someone who will be able to respond to/approve domain validation. |
What do I do if hostmaster@<registered domain> does not exist or will not be able to respond? | Ask the domain owner to create hostmaster@<registered domain> or inform the recipient of this email address about how Buypass will perform domain validation. If necessary, request that the email address be received by someone who will be able to respond. |
What do I do if I have used DNS for domain validation before and want to continue with this? | You do not need to do anything, you will then be identified as someone who has used this before and we will continue to use DNS for domain validation. |
What do I do if I have used DNS for domain validation before and want to use automated domain validation with email to domain contact? | Send an e-mail to support@buypass.no. Ask to terminate the use of DNS and state which Subscriber (organisation number/organisation name) and which domain name this should apply to. |
For how long can a domain validation be reused? | For up to 398 days. |
What happens to domain validations that are active/have not passed their lifetime of 398 days on the day Buypass adopts the new solution? | It will be reused until it expires after 398 days. |
Where can I find information about which domain validation methods Buypass is allowed to use? | CA/Browser forum Baseline Requirements chapter 3.2.2.4: https://cabforum.org/baseline-requirements-documents/ |