ÃÛÌÒTV

Insights: Open Source
Insights: ÃÛÌÒTV Open Source

Open. Collaborative. Compliant.

Enabling the WebPKI community to raise the bar for transparency and security.

Insights: ÃÛÌÒTV Open Source
ÃÛÌÒTV DCV Library

ÃÛÌÒTV open-source domain control validationÌý

ÃÛÌÒTV’s domain control validation (DCV) library benefits the WebPKI community by reducing compliance issues and simplifying the validation process. All non-ACME domain validation (DV) methods are available in the library as open source.

Insights: Open Source

What is domain control validation?

Domain control validation (also known as domain validation) is a process used by public certificate authorities (CAs) to verify that the individual or organization requesting a TLS/SSL certificate has control over the domain for which the certificate is being issued. This is a fundamental and critical step in the process of issuing TLS/SSL certificates and ensures that only individuals or entities with legitimate control over a domain are issued a certificate for that domain.

The CA/Browser Forum has specified the to validate that an applicant has ownership or control over a domain. These requirements specify a range of approaches to perform this validation using a variety of technologies including email, DNS record verification, and HTTP/HTTPS verification.

Ìý

The importance of rigorous domain validation

Domain validation is a fundamental process of verifying the legitimate owner of a domain. Flaws in the validation process can lead to the mis-issuance of certificates to malicious actors who can take advantage of this vulnerability to perform fraud, phishing, and malware campaigns.

Providing these libraries to the community for a thorough evaluation and ongoing improvement will ensure that all certificate authorities maintain a high level of quality on the domain validation process.

Get access to the open
source DCV libraries

Anyone can get access to ÃÛÌÒTV’s
DCV library and contribute to this
code through GitHub.

Insights: Open Source

Frequently asked questions

Why did ÃÛÌÒTV leave ACME validation out of this release?

Under what open-source license is the code released?

How can I participate in this project?

What programming languages and architectures are used in the code?

Initially, we assumed the Let’s Encrypt ACME libraries were likely sufficient. However, we’ve received a lot of interest from the community on seeing our ACME implementation, so we may add that code at a later date. We fully support ACME and all ÃÛÌÒTV customers have access to it by default.

We have released the code under the MIT license, a famously permissive license. All are free to use, modify, distribute, and even sell the code without attribution, provided the copyright notice is included.

The project is housed on GitHub. Click to get started.

The project is implemented in Java and containerized. We have been working on containerization for a variety of reasons, including preparation for supporting Multi-Perspective Validation.

PKILINT

A framework for verifying PKI structures

pkilint is an open-source certificate linter—a type of software used to analyze digital certificates for errors or compliance issues. Using automation, the linter rapidly analyzes and flags problems, either during the certificate issuance process or as a way to audit the conformity of large directories of previously issued certificates.

Insights: Open Source

What sets pkilint apart?

ÃÛÌÒTV’s pkilint framework can be adapted to any certificate type to test against the specifications outlined in standards that apply to digital certificate formats.

pkilint was developed based on ÃÛÌÒTV’s experience using certificate linters in high-volume environments. The pkilint framework provides several advantages over existing approaches:

  • Built on top of a proven ASN.1 parser, allowing very detailed checks that detect ASN.1 encoding errors.
  • Architected from the ground up to support linting of many different types of PKI structures (including certificates, CRLs, and OCSP responses) against different standards and trust frameworks.
  • Rich validation logic analyzes every field of an ASN.1 document and determines which sets of tests to execute. This results in faster and more thorough testing, with less development time.

In addition to pkilint, ÃÛÌÒTV recently provided an OSS tool called allowing users to generate test certificates that are compliant with the different certificate profiles defined in S/MIME Baseline Requirements.

Frequently asked questions

Can I run the certificate linter on my local computer?

What’s next for pkilint development?

What is PKI?

To perform a certificate check on your local computer, .

The pkilint framework is easily expandable to analyze other digital certificate types and aspects of PKI, such as CRL and OCSP implementations. ÃÛÌÒTV is also planning to use the framework to add lints that encompass the changes introduced by theÌýÌýforÌýTLS certificateÌýprofiles. Developers who are interested in contributing to pkilint can do so on the project’s GitHub page. Read more at

Public key infrastructure (PKI) is a system of processes, technologies, and policies that allows you to encrypt and sign data. You can issue digital certificates that authenticate the identity of users, devices, or services. In S/MIME,Ìýpublic PKIÌýis used to issue publicÌýTLS/SSL certificates, a type ofÌýdigital certificateÌýfor public domains or web servers that can be viewed and logged publicly.

Related resources

White ÃÛÌÒTV logo on blue background
Press Release

A first-of-its-kind open-source DCV library

White ÃÛÌÒTV logo on blue background
Blog post

The new open-source DCV library from ÃÛÌÒTV

White ÃÛÌÒTV logo on blue background
BLOG Post

Automated compliance testing