Ballot SC-084 Introduces a New ACME Domain Validation Method

Ballot SC084: DNS Labeled with ACME Account ID Validation Method

The CA/Browser Forum has introduced a new domain validation method through Ballot SC084, referred to as the DNS-Labeled with ACME Account ID Validation Method. This method enhances the security and efficiency of domain validation by linking DNS records directly to an ACME account. With the adoption of Section 3.2.2.4.21 (DNS Labeled with Account ID – ACME) into the Baseline Requirements (BRs), the dns-account-01 challenge is now formally recognized as a valid domain control verification mechanism. 


What is the dns-account-01 Challenge?

The dns-account-01 challenge is a DNS-based validation method within the Automated Certificate Management Environment (ACME) protocol. It allows domain verification by associating a DNS record with an ACME account ID, rather than just a specific domain. This approach streamlines the process of proving domain ownership while improving security and scalability for certificate issuance. 


Key Advantages of the dns-account-01 Challenge 
  • Prevention of CNAME Conflicts

Using an account-specific label in DNS validation helps avoid issues related to CNAME delegation conflicts, which can occur with standard dns-01 challenges. 

  • Simplified Multi-Domain Management 

Organizations handling multiple domains under a single ACME account benefit from a more automated and centralized validation process. 

  • Stronger Security Measures 

Since the challenge is tied to an ACME account, it enhances security by reducing the risk of unauthorized modifications to DNS records. 


Voting Results 
  • Certificate Issuers: 19 votes in favor 
  • Certificate Consumers: 4 votes in favor (Cisco Systems, Google, Microsoft, Mozilla) 

The review period for this ballot is from January 28, 2025, to February 27, 2025. 


References to Draft RFCs 

This ballot references the latest stable versions of the draft RFCs: 

This new validation method represents a significant step forward in ensuring secure and efficient domain validation processes. 


Sources: https://cabforum.org/working-groups/server/ballots/

 

Latest Post

0
    0
    Your Cart
    Your cart is empty

    Trustworthy AI for Better SSL

    TuringSign is actively innovating in cutting-edge AI technology to make traditional SSL workflows quicker, more efficient, more accurate and less costly.

    We apply automation to routine tasks including technical support and high assurance organization validation. This not only saves time but also minimizes errors and ensures faster, more reliable support for TuringSign users. With AI handling routine queries and tasks, your team can focus on more complex issues.

    Compare & Buy

    Automation for Unmatched Speed

    Check mark with hand icon.

    Full Automation

    Fully Automate your SSL Management with ACME

    Analysis analytics column graphic improvement icon.

    Fastest OCSP

    Boost Page Loading Speeds with our Industry-Leading OCSP

    Achievement icon.

    Priority Validation

    Get High-Assurance Certificates Faster than ever

    Compare & Buy

    Best Value Pricing

    Lowest Prices for Best-in-Class Products : Affordability with excellence.

    Standard DV SSL

    DigiCert $64
    Sectigo $99
    GlobalSign $249
    GoDaddy $69
    TuringSign $59

    Wildcard DV SSL

    DigiCert $629
    Sectigo $499
    GlobalSign $849
    GoDaddy $349
    TuringSign $259

    Single OV SSL

    DigiCert $312
    Sectigo $199
    GlobalSign $349
    Entrust $199
    TuringSign $179

    Wildcard OV SSL

    DigiCert $984
    Sectigo $879
    GlobalSign $949
    Entrust $799
    TuringSign $699

    EV SSL

    DigiCert $468
    Sectigo $279
    GlobalSign $599
    GoDaddy $399
    TuringSign $209

    Source: Netcraft SSL Server Survey, August 2024. Provided for reference only. 3rd Party prices may have change.

    Compare & Buy

    Join the Waitlist

    Next Steps

    1. Validate Domain (Authenticate domain depending on which method you choose)

    Check the email that has been sent to you. To confirm the domain ownership rights for your certificate, you need to copy the validation code from the approval email, follow the link in it and paste the validation code into the corresponding field.

    From the email, please click the link to the verification page, Once in the verification page, please enter the code provided in the email for verification.

    That’s it!

    After you have completed verification, a confirmation email will be sent to you. And shortly after, an issue confirmation will be sent to you via email. You can follow the link to the portal to download your newly issued certificate.

    If you have followed the steps above and did not receive an approval email to your mailbox, please click the link to the portal and double check your validation method or contact us for help. 

    Another way of verifying a domain is DNS (TXT record) Verification. If you selected DNS Authentication as your verification method, you will receive a unique TXT record via email consisting of two parts:

    • 1. Name: Name/Host/Alias/TXT: Blank or @
    • 2. Value/Points to/Destination:”wisekey=XXXXXXX”
    • TTL: This is your TTL (Time-To-Live) value. Set it to 3600 or lower.

    Verify by adding a TXT record in your DNS. Please verify and check if you have added the correct record

    Please submit a requestfor support if you face any issues.

    Depending on your DNS provider, You may have to wait for at least an hour for the changes to take effect in the DNS Servers. You will be notified via email when the domain is verified.

    The third method of verifying a domain is HTTP File Upload Verification. After choosing File Authentication as your verification method, you will receive an email and be asked to download a unique verification file (Format: .txt) and upload it to a specific directory on your web server.



    Verify by uploading the attached file fileauth.txt in your web server as follows:



    • 1. Download the text file fileauth.txt (attached with the email).
    • 2. Upload the above file (fileauth.txt) to your host in this EXACT path: http://my-domain.com/.well-known/pki-validation/fileauth.txt


    You may have to wait for at least an hour for the changes to take effect in the validation services. You will be notified via email when the domain is verified.

    Please submit a request for support if you face any issues.

    2. Receive Confirmation (After validation an email will be sent with a link to certificate)

    3. Download certificate and upload to hosting

    Notice: After generating a CSR,
    1. Copy the Private KEY and keep this to yourself for reference.
    2. Copy only the CSR above and use(paste)
    in to request your TS Certificate.
    3. Click the top left button to close.

    TuringSign
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.