<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regarding the proposal to sunset the use of WHOIS to identify domain contacts, I would like to make the following points.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the domain name space, there is a distinction between WHOIS data (which we prefer to call registration data) and the WHOIS protocol. The WHOIS protocol is very old, even predating DNS. However, registration
data can be served over the Registration Data Access Protocol (RDAP), which is a modern REST-style protocol using JSON and HTTPS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Unlike the WHOIS protocol, RDAP has a formal method for finding an authoritative server. This is defined in RFC 9224 [1]. In summary, each TLD registers a set of RDAP servers with IANA and RDAP clients use
this information to find the authoritative server for TLDs [2]. Because of this formalized mechanism operated by the IANA, RDAP is less susceptible than the WHOIS protocol for the exploit noted by WatchTower Labs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Finally, with the recent ratification of the ICANN RDAP Amendment [3], most gTLD registries and all registrars will no longer be under obligation to operate WHOIS services starting 28 January 2025. All will
be under obligation to operate RDAP services conformant to the ICANN gTLD Profile [4].<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I hope you find this information useful in your deliberations. I’d love to have one of our RDAP subject matter experts (Andy Newton, copied here) added to this mailing list to help with any other questions
you may have on this topic. Is this something we can do?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Francisco Arias,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">VP, GDS Technical Services<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ICANN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">[1] https://www.rfc-editor.org/info/rfc9224<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">[2] <a href="https://data.iana.org/rdap/dns.json">
https://data.iana.org/rdap/dns.json</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">[3] <a href="https://www.icann.org/en/blogs/details/icann-board-approves-rdap-amendments-04-05-2023-en">
https://www.icann.org/en/blogs/details/icann-board-approves-rdap-amendments-04-05-2023-en</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">[4] <a href="https://www.icann.org/gtld-rdap-profile">
https://www.icann.org/gtld-rdap-profile</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal">On 9/16/24, 13:40, "Servercert-wg on behalf of Mike Shaver via Servercert-wg" <<a href="mailto:servercert-wg-bounces@cabforum.org">servercert-wg-bounces@cabforum.org</a> on behalf of
<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Mon, Sep 16, 2024 at 2:07<span style="font-family:"Arial",sans-serif"> </span>PM Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<div>
<div>
<blockquote style="border:none;border-right:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Is there feedback about the number of TLDs and possible certificate volumes that might be affected by this attack?<br>
<br>
The majority of validations performed by CAs using WHOIS is done in gTLDs which have decent rules for monitoring and supervising their operators. The biggest issue is with ccTLDs, which in majority work ok. Unfortunately, most of them do not disclose email
contact information, making them unusable for Domain Validation.<o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I’ll admit that I am not very familiar with how gTLD operators manage their Whois services, or ensure prompt update when domains lapse or similar. Could you provide some more detail about the “decent rules” in place, and how they align
with the general standard of hygiene and reliability that is required of other DCV methods? As far as I can tell there isn’t even a provision for server authentication of the WHOIS protocol, meaning that it could be subverted by any MITM or DNS-poisoning adversary,
for any domain.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As an example, we recently saw a CA reissue certificates because the (very-widely-relied-upon) Google DNS service they used for domain validation did not *guarantee* that it validated DNSSEC. That is an appropriately high level of care
for web PKI certificates, IMO.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="border:none;border-right:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Why are we causing such a large disturbance as if the Global Internet is unsafe by this attack when the impact is 1 or 2 vanity TLDs for which mitigations exist (like, use a better library or use the latest updated list from IANA)?<o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don’t see how using the updated list from IANA (updated how often and with what latency) overcomes the weaknesses in WHOIS itself, but I also don’t think that we should be treating TLDs differently in terms of the standards of authentication
required for obtaining a certificate. As far as I know, no CA has ever tried to make the argument that an incident related to certificate issuance was of lesser import or urgency because it was for a little-used service or domain. I assume (and indeed hope)
that such an argument would be ill-received by the root programs. I don’t expect that relying parties grade the web PKI’s assurances on a curve based on what domain they’re connecting to, either. And there is of course no telling which TLD will become “hot”
for popular services at any time (as happened with .io and .ai for example, or even .rs).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I may be misunderstanding your argument, though. Are you not saying that it’s no big deal if someone other than the current domain owner can get a certificate for a domain, as long as it’s a “minor” TLD?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That plea for domain equality aside, I think describing .mobi as a “vanity” domain is ahistorical, given its origins and two-decade history. “<a href="http://amazon.mobi">amazon.mobi</a>” was registered in 2006 and remains active to this
day; I expect that it has received a fair bit of traffic from users intending to reach Amazon. The .mobi domain seems to have some level of control applied to who can register what, because
<a href="http://google.mobi">google.mobi</a> didn’t exist except when the service was under the security researchers’ control.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Mike<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>