<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 16/9/2024 10:25 μ.μ., Amir Omidi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAOG=JUKycsgKF3-fEKWkB=N_W2CkxTByhewAsG=_4FX9psCmjQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">> I also
agree with deprecating this method but we could do it in a
planned and controlled fashion. Not all validations with this
method are flawed, as it is currently presented.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif"
class="gmail_default">I don't think this framing is correct.
WHOIS is both unstructured and unauthenticated data.</div>
</div>
</blockquote>
<br>
In most cases, the data structure has similar patterns and CAs have
developed methods to structure this data. DNS is also
unauthenticated data but it's been working well so far.<br>
<blockquote type="cite"
cite="mid:CAOG=JUKycsgKF3-fEKWkB=N_W2CkxTByhewAsG=_4FX9psCmjQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">I would also
say that `.mobi` isn't necessarily a "vanity TLD" - and beyond
that, a vanity TLD is still part of this ecosystem. WebPKI
should try its best to not discriminate between TLDs.</div>
</div>
</blockquote>
<br>
I stand corrected on the vanity part. You are correct. We should
also not discriminate but need to take measures proportional with
the threat and potential impact. If I understand correctly, this is
about insecure/bad implementation of WHOIS libraries that use stale
entry points to query certain TLDs, instead of refreshing the IANA
sources or using IANA and then following referrals. Please correct
me if I'm missing something.<br>
<br>
<blockquote type="cite"
cite="mid:CAOG=JUKycsgKF3-fEKWkB=N_W2CkxTByhewAsG=_4FX9psCmjQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">A compromise
for removing these methods can be allowing re-use of existing
authorizations done with these deprecated methods with a cut
off date of Sept 10th 2024 (around the time the watchtowr
report was released), while removing them for use for new
authorizations. This would effectively buy folks about a year
time to migrate.</div>
</div>
</blockquote>
<br>
That makes sense but kills a method that is actively used securely
for the vast majority of queries to Domain Name Registrars. Instead
we could add controls for CAs to use WHOIS queries securely as an
emergency ballot, and gradually deprecate the WHOIS protocol,
promoting the use of RDAP in its place. <br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:CAOG=JUKycsgKF3-fEKWkB=N_W2CkxTByhewAsG=_4FX9psCmjQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep 16, 2024 at
1:19 PM Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Is there feedback about the number of TLDs and possible
certificate volumes that might be affected by this attack?<br>
<br>
The majority of validations performed by CAs using WHOIS is
done in gTLDs which have decent rules for monitoring and
supervising their operators. The biggest issue is with
ccTLDs, which in majority work ok. Unfortunately, most of
them do not disclose email contact information, making them
unusable for Domain Validation.<br>
<br>
Why are we causing such a large disturbance as if the Global
Internet is unsafe by this attack when the impact is 1 or 2
vanity TLDs for which mitigations exist (like, use a better
library or use the latest updated list from IANA)?<br>
<br>
I also agree with deprecating this method but we could do it
in a planned and controlled fashion. Not all validations
with this method are flawed, as it is currently presented.<br>
<br>
Also, the deprecation date of November 1, 2024 is too soon.
Even if we consider the 7+7=14 days to pass a ballot, there
are 30 days of the IPR review process making this extremely
close to the Nov 1, 2024 deadline. It is also difficult for
all CAs to update their RA systems to stop re-using existing
validation evidence in such a short timeframe.<br>
<br>
Do the authors feel this ballot is super urgent and need
such an aggressive timeline? Is there any additional
information for the potential impact of this attack compared
to the other "healthy" cc/gTLDs? Would you consider an
effective date closer to February or March 2025?<br>
<br>
<br>
Thank you,<br>
Dimitris.<br>
<br>
<br>
<div>On 16/9/2024 7:16 μ.μ., Ryan Dickson via Servercert-wg
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><span
id="m_6141110153011239946m_-399155201201222410gmail-docs-internal-guid-08afa406-7fff-5526-9968-f1bb4fe7e80b"><font
face="arial, sans-serif">
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Purpose
of Ballot SC-080 V1</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
Ballot proposes updates to the </span><span
style="color:rgb(14,16,26);font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Baseline
Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">
(i.e., TLS BRs) related to sunsetting the use of
WHOIS when identifying Domain Contacts.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Background:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">In
light of recent events where research from
WatchTowr Labs demonstrated how threat actors
could exploit WHOIS to obtain fraudulently
issued TLS certificates [1] and follow-on
discussions in MDSP [2][3], we drafted an
introductory proposal [4] to sunset the use of
WHOIS for identifying Domain Contacts.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
proposal sets a prohibition against relying on
WHOIS to identify Domain Contacts beginning
11/1/2024. At the same time, it also prohibits
use of DCV reuse where WHOIS was used as the
source of truth for a Domain Contact.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Proposal
Revision History</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<ul>
<li><span
style="background-color:transparent;color:rgb(14,16,26)">Pre-Ballot
Version #1 [4]</span></li>
</ul>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Previous
Versions of this Ballot</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<ul>
<li><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">N/A</span><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></li>
</ul>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">References</span><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]
<a
href="https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[2]
<a
href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[3]
<a
href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[4]
<a
href="https://github.com/cabforum/servercert/pull/548"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/servercert/pull/548</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[5]
<a
href="https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(14,16,26);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
following motion has been proposed by Ryan
Dickson and Chris Clements of Google (Chrome
Root Program) and endorsed by Arvid Vermote
(GlobalSign) and Pedro Fuentes (OISTE).</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;padding:0pt 0pt 12pt"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">—
Motion Begins —</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
ballot modifies the “Baseline Requirements for
the Issuance and Management of Publicly-Trusted
TLS Server Certificates” (“Baseline
Requirements”), based on Version 2.0.7.</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">MODIFY
the Baseline Requirements as specified in the
following Redline:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><a
href="https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9</a></span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">—
Motion Ends —</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This
ballot proposes a Final Maintenance Guideline.
The procedure for approval of this ballot is as
follows:</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Discussion
(7 days)</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
Start: 2024-09-16 16:00:00 UTC</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
End no earlier than: 2024-09-23 16:00:00 UTC</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(80,0,80);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Vote
for approval (7 days)</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
Start: TBD</span></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">-
End: TBD</span></p>
</font></span><br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>