GDPR and SSL

Due to the recent developments regarding the public WHOIS and GDPR, limiting the output of WHOIS Servers it has become somewhat more difficult to order an SSL certificate, as email address validation might in some cases no longer be an option due to such restrictions imposed by the GDPR.

Email Validation for DV (domain validated) SSL certificates can only be approved via the default mail addresses known as:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

For more information regarding the GDPR and the changes to the WHOIS output can be found:

The ICANN WHOIS system is gone, the process for a GDPR compliant WHOIS has started!

However, there are alternatives that are more in the spirit of Art 25 of the GDPR and do not require the processing of possible personal data through a public WHOIS.

These alternatives are:

  • HTTP(s) validation, also known as File based validation.
  • DNS validation.

Below a screenshot with more information how to validate HTTP(s) or via DNS validation for DV SSL certificates via Realtime Register. Navigate to “SSL certificates” on the left tab. Select “Positive SSL” or the “Positive SSL Wildcard” and click on next.

On the next page, you can provide the CSR and for which server software it concerns.

After filling in the CSR and selecting the server software, you can continue to the next page:

Where you can provide the period, contact-handle, validation method or dcvEmailAddress. For the validation method there is the possibility to choose between:

  • E-mail based verification
  • DNS based verification
  • HTTP(S) based validation (file based validation)

For doing the validation via DNS or File-based validation there is a complete documentation and how-to via https://support.comodo.com/index.php?/Knowledgebase/Article/View/791/0/alternative-methods-of-domain-control-validation-dcv

 

FAQ Privacy Protect support

1. What does privacy protect do?
2. Why should you offer privacy protect to your customers?
3. What are the benefits of privacy protecting?
4. How can I set all domains of a registrant contact to privacy protect?
5. Do I need to have consent of the registrant for privacy protect?
6. Do ALL TLDs allow privacy protecting?
7. How can someone get in touch with the registrant of a privacy protected domain?
8. Why should I set my customers domains on client transfer prohibited TRUE?
9. How about exposing registrant information through the other contacts?

1. What does privacy protect do?

Realtime Register privacy protect removes the exposed registrant information and replaces it by a default data set and email address related to the domain name.

Example whois output non-privacy protected domain

Registrant Name: John Johnson
Registrant Organization:
Registrant Street: 404 street name
Registrant City: Amsterdam
Registrant State/Province:
Registrant Postal Code: 1000 AA
Registrant Country: NL
Registrant Phone: +31.106660666
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: john@whatever.whatever

Example whois output privacy protected domain

Registrant Name: Privacy Protect
Registrant Organization: My Domain Provider
Registrant Street: Ceintuurbaan 32A
Registrant City: Zwolle
Registrant State/Province: 
Registrant Postal Code: 8024 AA
Registrant Country: NL
Registrant Phone: +31.382305013
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: domainname.extension@mydomainprovider.com


Where “domainname.extension” is replaced by the domain name of the whois output. If the  phone number is called a recorded message is played to contact the registrant through email.

To Top Of Page

2. Why should you offer privacy protect to your customers?

By exposing the registrant information, you might be in breach with the GDPR. Especially if you don’t have explicit consent to have the registrant information published in a public whois. And in addition, it’s a human right. As article 12 of the United Nations Universal Declaration of Human Rights states:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Every-one has the right to the protection of the law against such interference or attacks.

To Top Of Page

3. What are the benefits of privacy protecting?

  • It protects your customer’s privacy even more effectively
  • It prevents spam by email, phone calls or text messages to your customers
  • It is compliant with over 100 data protection laws worldwide.


To Top Of Page

4. How can I set all domains of a registrant contact to privacy protect?

For starters, make sure you have your customers consent for setting domains to privacy protect. You can do this by either explicit consent or through your terms of service. If you use the Realtime Register Domain Manager, we have a Privacy Protect step-by-step plan available for you. If you use the Realtime Register API, you can use the API commands set to privacy protect. However, even then you want to have a look at the Privacy Protect step-by-step plan.

To Top Of Page

5. Do I need to have consent of the registrant for privacy protect?

Yes, you need to have some form of consent, please have a look at item 4 of this FAQ.  The privacy protect feature also sets the domain to transfer prohibited. This also requirers the consent of the registrant.

To Top Of Page

6. Do ALL TLDs allow privacy protecting?

Nope, I am sorry, however, privacy protect is allowed for practically all generic TLDs. Most ccTLDs don’t allow it. However, the ccTLDs that don’t allow privacy protect in general show very few information, so effectively it’s privacy protected.
For example; the Dutch .nl extension does not display the registrant name if there is no organization name added to the registrant information. As do other ccTLD registries like DNS BE, Eurid and Afnic.


To Top Of Page

7. How can someone get in touch with the registrant of a privacy protected domain?

Basically, in two ways by using a captcha-protected form at my domainprovider.com and sending an email to the domainname.extension@mydomainprovider.com email address.

  1. If the form at mydomainprovider.com is used, the email with optional attachment is directly send to the registrant’s email address in the registrant contact handle. Of course, the sender does not get to see the real address.
  2. If the mail is send directly to the email address in the whois, the behaviour depends on the status of the client transfer prohibited setting.
    1. If client transfer prohibited is TRUE, the sender gets an email to go to the mydomainprovider.com form. Effectively blocking spam bots from reaching the registrant.
    2. If the setting client transfer prohibited is FALSE, the registrant gets a standard email with a link to view the message. Attachments from the sender are discarded. This route ensures limited protection from spam though allows for transfer out FOA’s to reach the registrant.


To Top Of Page

8. Why should I set my customers domains on client transfer prohibited TRUE?

  1. It helps to prevent domain theft and unwanted transfers.
    • Even if someone of your staff has been socially engineered to provide an authorization code to an unauthorized person, it adds an additional threshold for transferring the domain away.
  2. It reduces spam reaching the registrant even better.
    • If the domain is privacy protected automated spam is unable to get in your customers mailbox.


To Top Of Page

9. How about exposing registrant information through the other contacts?

That is a tricky one, if you use different contacts with the registrant’s information you will end up exposing unwillingly contact information of the registrant. In general, there are two approaches:

  1. Change all admin, billing and tech contacts to a contact that has your brand information. As a nice side effect, your brand gets more exposure in the whois information.
  2. Change all contacts to the contact handle of the registrant. This way, these whois contacts will also display the privacy protect information.

It’s up to you, make your pick!