<div dir="ltr"><span id="gmail-docs-internal-guid-321bc660-7fff-301a-2b9e-dc78206fac7f"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi Mike,</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The immediate thought was to allow existing certificates to expire naturally, but it also seems valuable to review the community’s past response(s) when having sunset other DCV methods (like </span><a href="https://cabforum.org/2020/08/14/ballot-sc33-tls-using-alpn-method/" style="text-decoration-line:none"><span style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">). </span><a href="https://groups.google.com/g/mozilla.dev.security.policy/c/RHsIInIjJA0/m/LKrNi35aAQAJ" style="text-decoration-line:none"><span style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">This</span></a><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> thread appears informative, and I suspect there are others like it. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Happy to hear additional opinions from the community, especially those with direct lessons learned from the past.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Thanks,</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Ryan</span></p></span><br class="gmail-Apple-interchange-newline"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 16, 2024 at 12:59 PM Mike Shaver <<a href="mailto:mike.shaver@gmail.com">mike.shaver@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Thanks for the action on this.</div><div dir="auto"><br></div><div dir="auto">Should this ballot include guidance or instruction for CAs who have been using Whois DCV previously? Are we content to simply let Whois-validated certs expire, or should CAs revalidate domain control for relevant certs using an approved method? If domain control can be validated, then I don’t think there would be any need to revoke/reissue (unless the CPS calls out Whois DCV maybe? I don’t know of any such). If it *can’t* be revalidated, then revoking the certificate is probably appropriate!</div><div dir="auto"><br></div><div dir="auto">Mike</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 16, 2024 at 12:15 PM Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span id="m_6755718610833335143m_2251737597929280464gmail-docs-internal-guid-08afa406-7fff-5526-9968-f1bb4fe7e80b"><font face="arial, sans-serif"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Purpose of Ballot SC-080 V1</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This Ballot proposes updates to the </span><span style="color:rgb(14,16,26);font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> (i.e., TLS BRs) related to sunsetting the use of WHOIS when identifying Domain Contacts.</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Background:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">In light of recent events where research from WatchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates [1] and follow-on discussions in MDSP [2][3], we drafted an introductory proposal [4] to sunset the use of WHOIS for identifying Domain Contacts.</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The proposal sets a prohibition against relying on WHOIS to identify Domain Contacts beginning 11/1/2024. At the same time, it also prohibits use of DCV reuse where WHOIS was used as the source of truth for a Domain Contact.</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Proposal Revision History</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"></p><ul><li><span style="background-color:transparent;color:rgb(14,16,26)">Pre-Ballot Version #1 [4]</span></li></ul><p></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Previous Versions of this Ballot</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"></p><ul><li><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">N/A</span><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></li></ul><p></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">References</span><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1] <a href="https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/" target="_blank">https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/</a></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[2] <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U" target="_blank">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U</a></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[3] <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA" target="_blank">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA</a></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[4] <a href="https://github.com/cabforum/servercert/pull/548" target="_blank">https://github.com/cabforum/servercert/pull/548</a></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[5] <a href="https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787" target="_blank">https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787</a></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign) and Pedro Fuentes (OISTE).</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;padding:0pt 0pt 12pt"><br></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">— Motion Begins —</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“Baseline Requirements”), based on Version 2.0.7.</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">MODIFY the Baseline Requirements as specified in the following Redline:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><a href="https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9" target="_blank">https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9</a></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">— Motion Ends —</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Discussion (7 days)</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">- Start: 2024-09-16 16:00:00 UTC</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">- End no earlier than: 2024-09-23 16:00:00 UTC</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Vote for approval (7 days)</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">- Start: TBD</span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">- End: TBD</span></p></font></span><br></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div></div>
</blockquote></div>