Cryptographically-Secured Domain Validation
Authors: Grace Cimaszewski (Princeton University), Henry Birge-Lee (Princeton University), Cyrill Krähenbühl (Princeton University), Liang Wang (Princeton University), Aaron Gable (Let's Encrypt), Prateek Mittal (Princeton University)
Volume: 2026
Issue: 2
Pages: 452–471
DOI: https://doi.org/10.56553/popets-2026-0056
Abstract: Certificate Authorities (CAs) bootstrap HTTPS-based privacy and trust on the Internet by authenticating the identity of domain names via a process known as domain control validation (DV). Ironically, currently used DV mechanisms rely on unauthenticated web protocols, including plaintext DNS and HTTP, and have been shown vulnerable to a range of network attacks. To address this critical challenge, we propose a framework for cryptographic verification of domain control, which fundamentally mitigates network-layer attacks. Our framework rethinks live DV protocol mechanisms using a domain owner specified security policy which constrains CAs to use authenticated channels and provide cryptographic verification. Our approach minimizes deployment burden on CAs by leveraging existing pieces of the Web PKI and DNS ecosystems,such as Certificate Authority Authorization (CAA) policies and secure DNS. We demonstrate the security properties of our design formally using the Tamarin verification tool and empirically via ethically-conducted real-world attacks. We showcase the feasibility of our framework through collaboration with a major anonymous CA: we analyze DNS and certificate issuance practices of over 400M live domains to understand the current state of CAA policies and secure DNS. We also report on the CA’s experiences implementing parts of our design in production. Finally, to realize our framework in the live Web PKI, we led a successful standardization effort for mandatory use of secure DNS by CAs at the CA/Browser Forum.
Keywords: Web PKI, domain control validation, HTTPS privacy
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
