<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix"><font face="Calibri">I agree if by
"WHOIS-related" methods we mean any method based on the WHOIS
protocol, either directly or via protocol gateways (e.g.
web-based interfaces to WHOIS records). And I support the WHOIS
deprecation initiative in this sense, since it has been shown
that it may be unreliable.</font></div>
<div class="moz-cite-prefix"><font face="Calibri"><br>
</font></div>
<div class="moz-cite-prefix"><font face="Calibri">However, where the
domain contacts information is obtained, e.g. via the web, from
an IANA-accredited domain registrar and is *not* based on WHIOS,
then I think it can be used. </font></div>
<div class="moz-cite-prefix"><font face="Calibri">I assume everyone
agrees as long as no one raises a hand to object.<br>
</font></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Adriano</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Il 17/09/2024 18:04, Pedro FUENTES ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:EDF364F5-35E6-44D3-9C9D-C25ADBC69D41@wisekey.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Could it be that we all agree that WHOIS-related
method are so tricky that it deserves to be ditched and the only
thing to requires consensus is the deadline to apply?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">On my particular side, I personally consider that
1/1/2025 is a reasonable date. </div>
<div dir="ltr"><br>
<blockquote type="cite">Le 17 sept. 2024 à 17:59, Adriano
Santoni via Servercert-wg <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a> a
écrit :<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<p><font face="Calibri">Andrew,<br>
</font></p>
<p><font face="Calibri">I was not referring to any WHOIS
server, but rather to the information about domain
"owners" that a registrar is supposed to collect and keep.</font></p>
<p><font face="Calibri">So you believe that if a CA does the
following, the domain contact email they can (sometimes)
get is <i>unreliable</i>?<br>
</font></p>
<p><font face="Calibri">1) Consult the list of accredited
domain registrars on the IANA website (<a
class="moz-txt-link-freetext"
href="https://www.icann.org/en/accredited-registrars"
moz-do-not-send="true">https://www.icann.org/en/accredited-registrars</a>),
thus finding confirmation of one particular registrar's
website the CA was looking for.<br>
2) Access the website found in point 1 above and query the
information available on a certain domain.<br>
3) At this point, sometimes (rarely) obtain, among other
information, also the email address of a domain contact.<br>
</font></p>
<p><font face="Calibri">Note that here I'm not talking about
the WHOIS protocol nor WHOIS servers, but about the
information that the domain registrar has the duty to
collect and store (not necessarily publish) about the
subject who registered a domain.<br>
</font></p>
<p><font face="Calibri">Regards,</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 17/09/2024 17:13, Andrew Ayer
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:20240917111341.cdf23a1edda37196860e4a91@andrewayer.name">
<pre wrap="" class="moz-quote-pre">[NOTICE: Pay attention - external email - Sender is <a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:agwa@andrewayer.name" moz-do-not-send="true">agwa@andrewayer.name</a> ]
On Tue, 17 Sep 2024 07:21:28 +0000
Adriano Santoni via Servercert-wg <a class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">I believe that the /interactive
/query of the domain registrar, directly on its website, can be
considered reliable to the extent that the CA is confident that it is in
fact consulting the "right" website.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">CAs were not consulting the right WHOIS server, despite a database of
correct WHOIS servers existing (at least for gTLDs). How would the problem
be better when it comes to finding the "right" website?
The gTLD registry agreement requires gTLD operators to update the IANA
Rootzone Database when their WHOIS server changes; I don't see a
similar requirement for keeping a database of website URLs up-to-date.
Regards,
Andrew
</pre>
</blockquote>
<span>_______________________________________________</span><br>
<span>Servercert-wg mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a></span><br>
<span><a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=</a></span><br>
</div>
</blockquote>
</blockquote>
</body>
</html>