<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">Let me put it differently.</font></p>
<p><font face="Calibri">Here is the definition of Domain Contact in
BRs:<br>
</font></p>
<p><font face="Calibri">
<blockquote type="cite">
<p><font face="Calibri"><b>Domain Contact</b>: The Domain Name
Registrant, technical contact, or administrative contact <br>
</font>
(or the equivalent under a ccTLD) as listed in the WHOIS
record of the Base Domain Name or <font face="Calibri"><br>
in a DNS SOA record, or as obtained through direct contact
with the Domain Name Registrar.</font></p>
</blockquote>
</font></p>
<p><font face="Calibri">Since the changes proposed in the pull
request <a class="moz-txt-link-freetext" href="https://github.com/cabforum/servercert/pull/549">https://github.com/cabforum/servercert/pull/549</a> do not
modify the definition above, I assume that - while "CAs MUST NOT
rely on WHOIS to identify Domain Contacts" (quoting the pull
request) - nothing prevents a CA from relying on other ways to
identify Domain Contacts, e.g. "</font><font face="Calibri"><font
face="Calibri">through direct contact with the Domain Name
Registrar</font></font><font face="Calibri">".<br>
</font></p>
<p><font face="Calibri"><font face="Calibri">If my interpretation is
correct, then there is no need to talk about this anymore.</font></font></p>
<p><font face="Calibri"><font face="Calibri">If, however, my
interpretation is incorrect, and people here actually want to
deprecate the case "through direct contact with the Domain
Name Registrar" as well, then I think it is necessary to
clarify this, and probably the pull request should also
include a change to the definition mentioned above.<br>
</font></font></p>
<p><font face="Calibri">Regards</font></p>
<p><font face="Calibri">Adriano</font></p>
<br>
<div class="moz-cite-prefix">Il 18/09/2024 10:59, Amir Omidi ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:CAOG=JU+v99mrtCxsnLq4xLNgi6qQZuJaK1=pmqPRB39AJHavvQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is <a class="moz-txt-link-abbreviated" href="mailto:amir@aaomidi.com">amir@aaomidi.com</a> </td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div dir="auto">I do not agree. What’s the point of keeping this
bespoke method available? These options create complexity and
complexity creates security vulnerabilities. In what situation
would this method be useful where DNS currently can’t solve that
need?</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 18, 2024 at
04:56
Adriano Santoni via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<div><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">I agree
if by
"WHOIS-related" methods we mean any method based on
the
WHOIS protocol, either directly or via protocol
gateways (e.g.
web-based interfaces to WHOIS records). And I support
the WHOIS
deprecation initiative in this sense, since it has
been shown that
it may be unreliable.</font></div>
<div><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)"><br>
</font></div>
<div><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">However,
where the domain
contacts information is obtained, e.g. via the web,
from an
IANA-accredited domain registrar and is *not* based on
WHIOS, then
I think it can be used. </font></div>
<div><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">I assume
everyone agrees as
long as no one raises a hand to object.</font></div>
</div>
<div>
<div><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)"><br>
</font></div>
<div><br>
</div>
<div>Adriano</div>
<div><br>
</div>
<div>Il 17/09/2024 18:04, Pedro FUENTES ha scritto:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Could it be that we all agree that
WHOIS-related
method are so tricky that it deserves to be ditched
and the only
thing to requires consensus is the deadline to apply?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">On my particular side, I personally
consider that
1/1/2025 is a reasonable date. </div>
<div dir="ltr"><br>
<blockquote type="cite">Le 17 sept. 2024 à 17:59,
Adriano Santoni
via Servercert-wg <a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a>
a
écrit :<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">Andrew,<br>
</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">I
was not referring to any
WHOIS server, but rather to the information
about domain
"owners" that a registrar is supposed to collect
and
keep.</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">So
you believe that if a CA
does the following, the domain contact email
they can (sometimes)
get is <i style="font-family:Calibri">unreliable</i>?<br>
</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">1)
Consult the list of
accredited domain registrars on the IANA website
(<a
href="https://www.icann.org/en/accredited-registrars" target="_blank"
style="font-family:Calibri"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.icann.org/en/accredited-registrars</a>),
thus finding confirmation of one particular
registrar's website
the CA was looking for.<br>
2) Access the website found in point 1 above and
query the
information available on a certain domain.<br>
3) At this point, sometimes (rarely) obtain,
among other
information, also the email address of a domain
contact.<br>
</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">Note
that here I'm not
talking about the WHOIS protocol nor WHOIS
servers, but about the
information that the domain registrar has the
duty to collect and
store (not necessarily publish) about the
subject who registered a
domain.<br>
</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">Regards,</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)">Adriano</font></p>
<p><font face="Calibri"
style="font-family:Calibri;color:rgb(0,0,0)"><br>
</font></p>
<div>Il 17/09/2024 17:13, Andrew Ayer ha scritto:<br>
</div>
<blockquote type="cite">
<pre style="font-family:monospace">[NOTICE: Pay attention - external email - Sender is <a
href="mailto:agwa@andrewayer.name" target="_blank"
style="font-family:monospace"
moz-do-not-send="true"
class="moz-txt-link-freetext">agwa@andrewayer.name</a> ]
On Tue, 17 Sep 2024 07:21:28 +0000
Adriano Santoni via Servercert-wg <a
href="mailto:servercert-wg@cabforum.org"
target="_blank" style="font-family:monospace"
moz-do-not-send="true"><servercert-wg@cabforum.org></a> wrote:
</pre>
<blockquote type="cite">
<pre style="font-family:monospace">I believe that the /interactive
/query of the domain registrar, directly on its website, can be
considered reliable to the extent that the CA is confident that it is in
fact consulting the "right" website.
</pre>
</blockquote>
<pre style="font-family:monospace">CAs were not consulting the right WHOIS server, despite a database of
correct WHOIS servers existing (at least for gTLDs). How would the problem
be better when it comes to finding the "right" website?
The gTLD registry agreement requires gTLD operators to update the IANA
Rootzone Database when their WHOIS server changes; I don't see a
similar requirement for keeping a database of website URLs up-to-date.
Regards,
Andrew
</pre>
</blockquote>
<span>_______________________________________________</span><br>
<span>Servercert-wg mailing list</span><br>
<span><a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></span><br>
<span><a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e="
target="_blank" moz-do-not-send="true">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=</a></span><br>
</div>
</blockquote>
</blockquote>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</div>
</blockquote>
</body>
</html>