The HTTPS certificate ecosystem is beginning a phased retreat from weaker methods of domain ownership verification. The Chrome Root Program and the CA/Browser Forum have approved new requirements for certificate authorities that will gradually retire eleven “legacy” Domain Control Validation (DCV) mechanisms.
The rationale is straightforward: when trust in a certificate rests on fragile signals—such as emails, phone calls, or loosely correlated contact details—attackers gain opportunities to circumvent checks and obtain certificates for domains they do not control. These loopholes are now being deliberately closed, with the emphasis shifting toward automated, cryptographically verifiable approaches.
The changes are codified in ballots SC-080, SC-090, and SC-091 and will be rolled out incrementally, giving site operators time to migrate to modern validation schemes. The full impact of the tightening is expected by March 2028, when obsolete checks will be fully retired. The authors link these reforms to the publicly stated “Moving Forward, Together” roadmap launched in 2022: what began as a strategic direction has, through updates to the TLS Baseline Requirements, evolved into a binding industry policy—continuing a broader wave of security initiatives that have already matured into shared standards.
DCV is a critical safeguard designed to ensure that a certificate is issued only to the legitimate operator of a domain, not to an interloper. Without robust validation, an attacker could obtain a seemingly “valid” certificate for someone else’s site and use it for impersonation or traffic interception, all while remaining within the formal bounds of the trust chain. Modern validation typically follows a challenge–response model: the certificate authority issues a random value, and the applicant proves control by placing it in a predefined location—such as a DNS TXT record—after which the authority verifies the response.
Historically, however, a range of indirect methods were also accepted, relying on circumstantial indicators of ownership—WHOIS contact details or correspondence with addresses that merely “looked right.” It is precisely these practices that are now deemed problematic. As part of the phased deprecation, checks based on messages sent to domain or IP contacts via email, fax, SMS, or postal mail are being eliminated, along with the use of “constructed” domain email addresses and notifications sent to contacts listed in DNS CAA or DNS TXT records. The same fate awaits telephone-based confirmations—whether via domain contacts, phone numbers embedded in DNS TXT or CAA records, or IP contact details—as well as reverse IP address lookup schemes.
For everyday browser users, these changes will be largely invisible—and that is by design. Behind the scenes, however, they significantly raise the bar for deceiving certificate authorities through outdated or opaque signals, such as stale contact records, convoluted forwarding chains in telephony or email systems, or long-inherited administrative artifacts.
The net result is an industry-wide shift toward standardized, modern, and auditable DCV methods, including greater reliance on automation frameworks like ACME. At the same time, these reforms encourage faster and simpler certificate lifecycle management. Ultimately, the goal is to excise the weakest links from the process on which trust in secure internet connections depends, strengthening this foundational infrastructure for everyone.
