The third party needs to confirm that the domain name belongs to our organization. Previously when we use godaddy we can turn off privacy protection and let them query domain info through whois to confirm that. But Cloudflare doesn’t seem to support it (I submitted another topic and it has not been resolved yet How do we temporarily remove whois privacy protection).
After communicating with the third party, it was confirmed that when we cannot make whois public, we can also prove it through the domain name certificate. The certificate should be provided by domain name manager. How should I get a domain name certificate in Cloudflare?
Or is there any other valid way to prove that the domain name belongs to our organization.
3rd parties (GitHub, Facebook, etc) commonly ask you to make a TXT DNS record to prove that you own the domain. I would offer that as a method to verify domain ownership. Usually the format for the DNS record is
_<3rd-party>.<your domain> and they give you random information to fill for the value.
This is not the same as our needs.
This only proves that we can modify the domain name resolution. In our case, they need to see that the name of the organization that the domain name belongs to is consistent with the name of our business organization.
If they’re wanting an SSL certificate to verify your company name is associated with the domain, they’d likely be wanting you to install either an Organization Validation (OV) or an Extended Validation (EV) certificate.
A service provider in our business. They need to confirm that the organization holding the domain name matches the organization on the commercial contract.
Anyone can put anything they want in domain contact info for whois. There is not and never has been even a slight attempt to verify any of it. I could easily put your company name and address on a domain I own. I have for decades used a joke company name on my domains. I’ve used addresses that would be in the middle of bodies of water, if they existed. Anyone looking at whois info to verify anything is verifying nothing.
And nowadays most domains have their info redacted anyway, so they will now be failing to verify nothing.
The only real way to verify that the company’s name that owns the domain is real would be to use an extended-validation SSL certificate, because those certificates have their information verified through other means outside what people type into a form on the internet (like providing business documentation). Cloudflare does not provide this kind of certificate, but you could get one elsewhere. It won’t be free.