<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Is there feedback about the number of TLDs and possible certificate
volumes that might be affected by this attack?<br>
<br>
The majority of validations performed by CAs using WHOIS is done in
gTLDs which have decent rules for monitoring and supervising their
operators. The biggest issue is with ccTLDs, which in majority work
ok. Unfortunately, most of them do not disclose email contact
information, making them unusable for Domain Validation.<br>
<br>
Why are we causing such a large disturbance as if the Global
Internet is unsafe by this attack when the impact is 1 or 2 vanity
TLDs for which mitigations exist (like, use a better library or use
the latest updated list from IANA)?<br>
<br>
I also agree with deprecating this method but we could do it in a
planned and controlled fashion. Not all validations with this method
are flawed, as it is currently presented.<br>
<br>
Also, the deprecation date of November 1, 2024 is too soon. Even if
we consider the 7+7=14 days to pass a ballot, there are 30 days of
the IPR review process making this extremely close to the Nov 1,
2024 deadline. It is also difficult for all CAs to update their RA
systems to stop re-using existing validation evidence in such a
short timeframe.<br>
<br>
Do the authors feel this ballot is super urgent and need such an
aggressive timeline? Is there any additional information for the
potential impact of this attack compared to the other "healthy"
cc/gTLDs? Would you consider an effective date closer to February or
March 2025?<br>
<br>
<br>
Thank you,<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 16/9/2024 7:16 μ.μ., Ryan Dickson
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000191fb9ea8c5-68a1a473-61c1-4de5-955a-8aa76755cf82-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr"><span
id="gmail-docs-internal-guid-08afa406-7fff-5526-9968-f1bb4fe7e80b"><font
face="arial, sans-serif">
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Purpose
of Ballot SC-080 V1</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
Ballot proposes updates to the </span><span
style="color:rgb(14,16,26);font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Baseline
Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">
(i.e., TLS BRs) related to sunsetting the use of WHOIS
when identifying Domain Contacts.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Background:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">In
light of recent events where research from WatchTowr
Labs demonstrated how threat actors could exploit WHOIS
to obtain fraudulently issued TLS certificates [1] and
follow-on discussions in MDSP [2][3], we drafted an
introductory proposal [4] to sunset the use of WHOIS for
identifying Domain Contacts.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
proposal sets a prohibition against relying on WHOIS to
identify Domain Contacts beginning 11/1/2024. At the
same time, it also prohibits use of DCV reuse where
WHOIS was used as the source of truth for a Domain
Contact.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Proposal
Revision History</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<ul>
<li><span
style="background-color:transparent;color:rgb(14,16,26)">Pre-Ballot
Version #1 [4]</span></li>
</ul>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Previous
Versions of this Ballot</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<ul>
<li><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">N/A</span><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></li>
</ul>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">References</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]
<a
href="https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/"
moz-do-not-send="true" class="moz-txt-link-freetext">https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[2]
<a
href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U"
moz-do-not-send="true" class="moz-txt-link-freetext">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[3]
<a
href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA"
moz-do-not-send="true" class="moz-txt-link-freetext">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[4]
<a
href="https://github.com/cabforum/servercert/pull/548"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/pull/548</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[5]
<a
href="https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787"
moz-do-not-send="true" class="moz-txt-link-freetext">https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
following motion has been proposed by Ryan Dickson and
Chris Clements of Google (Chrome Root Program) and
endorsed by Arvid Vermote (GlobalSign) and Pedro Fuentes
(OISTE).</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;padding:0pt 0pt 12pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">—
Motion Begins —</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted TLS Server
Certificates” (“Baseline Requirements”), based on
Version 2.0.7.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">MODIFY
the Baseline Requirements as specified in the following
Redline:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><a
href="https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">—
Motion Ends —</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
ballot proposes a Final Maintenance Guideline. The
procedure for approval of this ballot is as follows:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Discussion
(7 days)</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
Start: 2024-09-16 16:00:00 UTC</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
End no earlier than: 2024-09-23 16:00:00 UTC</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Vote
for approval (7 days)</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
Start: TBD</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
End: TBD</span></p>
</font></span><br class="gmail-Apple-interchange-newline">
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>