<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">>
I also agree with deprecating this method but we could do it in a
planned and controlled fashion. Not all validations with this method
are flawed, as it is currently presented.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">I don't think this framing is correct. WHOIS is both unstructured and unauthenticated data.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I would also say that `.mobi` isn't necessarily a "vanity TLD" - and beyond that, a vanity TLD is still part of this ecosystem. WebPKI should try its best to not discriminate between TLDs.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">A compromise for removing these methods can be allowing re-use of existing authorizations done with these deprecated methods with a cut off date of Sept 10th 2024 (around the time the watchtowr report was released), while removing them for use for new authorizations. This would effectively buy folks about a year time to migrate.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 16, 2024 at 1:19 PM Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
Is there feedback about the number of TLDs and possible certificate
volumes that might be affected by this attack?<br>
<br>
The majority of validations performed by CAs using WHOIS is done in
gTLDs which have decent rules for monitoring and supervising their
operators. The biggest issue is with ccTLDs, which in majority work
ok. Unfortunately, most of them do not disclose email contact
information, making them unusable for Domain Validation.<br>
<br>
Why are we causing such a large disturbance as if the Global
Internet is unsafe by this attack when the impact is 1 or 2 vanity
TLDs for which mitigations exist (like, use a better library or use
the latest updated list from IANA)?<br>
<br>
I also agree with deprecating this method but we could do it in a
planned and controlled fashion. Not all validations with this method
are flawed, as it is currently presented.<br>
<br>
Also, the deprecation date of November 1, 2024 is too soon. Even if
we consider the 7+7=14 days to pass a ballot, there are 30 days of
the IPR review process making this extremely close to the Nov 1,
2024 deadline. It is also difficult for all CAs to update their RA
systems to stop re-using existing validation evidence in such a
short timeframe.<br>
<br>
Do the authors feel this ballot is super urgent and need such an
aggressive timeline? Is there any additional information for the
potential impact of this attack compared to the other "healthy"
cc/gTLDs? Would you consider an effective date closer to February or
March 2025?<br>
<br>
<br>
Thank you,<br>
Dimitris.<br>
<br>
<br>
<div>On 16/9/2024 7:16 μ.μ., Ryan Dickson
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><span id="m_6141110153011239946m_-399155201201222410gmail-docs-internal-guid-08afa406-7fff-5526-9968-f1bb4fe7e80b"><font face="arial, sans-serif">
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Purpose
of Ballot SC-080 V1</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
Ballot proposes updates to the </span><span style="color:rgb(14,16,26);font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Baseline
Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">
(i.e., TLS BRs) related to sunsetting the use of WHOIS
when identifying Domain Contacts.</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Background:</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">In
light of recent events where research from WatchTowr
Labs demonstrated how threat actors could exploit WHOIS
to obtain fraudulently issued TLS certificates [1] and
follow-on discussions in MDSP [2][3], we drafted an
introductory proposal [4] to sunset the use of WHOIS for
identifying Domain Contacts.</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
proposal sets a prohibition against relying on WHOIS to
identify Domain Contacts beginning 11/1/2024. At the
same time, it also prohibits use of DCV reuse where
WHOIS was used as the source of truth for a Domain
Contact.</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Proposal
Revision History</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<ul>
<li><span style="background-color:transparent;color:rgb(14,16,26)">Pre-Ballot
Version #1 [4]</span></li>
</ul>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Previous
Versions of this Ballot</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<ul>
<li><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">N/A</span><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></li>
</ul>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">References</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]
<a href="https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/" target="_blank">https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/</a></span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[2]
<a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U" target="_blank">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U</a></span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[3]
<a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA" target="_blank">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA</a></span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[4]
<a href="https://github.com/cabforum/servercert/pull/548" target="_blank">https://github.com/cabforum/servercert/pull/548</a></span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[5]
<a href="https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787" target="_blank">https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787</a></span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
following motion has been proposed by Ryan Dickson and
Chris Clements of Google (Chrome Root Program) and
endorsed by Arvid Vermote (GlobalSign) and Pedro Fuentes
(OISTE).</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;padding:0pt 0pt 12pt"><br>
</p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">—
Motion Begins —</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted TLS Server
Certificates” (“Baseline Requirements”), based on
Version 2.0.7.</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">MODIFY
the Baseline Requirements as specified in the following
Redline:</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><a href="https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9" target="_blank">https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9</a></span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">—
Motion Ends —</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
ballot proposes a Final Maintenance Guideline. The
procedure for approval of this ballot is as follows:</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Discussion
(7 days)</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
Start: 2024-09-16 16:00:00 UTC</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
End no earlier than: 2024-09-23 16:00:00 UTC</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Vote
for approval (7 days)</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
Start: TBD</span></p>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
End: TBD</span></p>
</font></span><br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>