[Servercert-wg] Discussion Period Begins - Ballot SC-080 V2: "Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods”
Ryan Dickson
ryandickson at google.com
Wed Oct 2 13:05:23 UTC 2024
Hi Antti,
Thanks for your comment.
The proposed update contains an entry in the “Relevant Dates" Table that
presents the following information:
*Compliance:* 2025-01-15
*Sections:* 3.2.2.4
*Summary Description (See Full Text for Details):* CAs MUST NOT rely on
HTTPS websites to identify Domain Contact information. RFC 3912 and RFC
7482 MUST NOT be used to validate Domain Contact information of FQDNs
containing a ccTLD. CAs MUST rely on IANA resources for identifying gTLD
Domain Contact information.
In my opinion, the above offers a summary-level description of the detailed
changes offered in Sections 3.2.2.4.2, 3.2.2.4.12, and 3.2.2.4.15.
If you have specific changes you’d like to suggest, please share them for
the group’s consideration.
Thanks!
- Ryan
On Wed, Oct 2, 2024 at 1:21 AM Backman, Antti <
antti.backman at teliacompany.com> wrote:
> Hi,
>
>
>
> As per my quick initial review of this ballot, one question / comment.
>
>
>
> Should the relevant dates list the changes made to *3.2.2.4.12 *coming
> effective Jan 15th, 2025? I believe the changes in the section are very
> relevant to CAs?
>
>
>
>
>
> //Antti
>
>
>
> *From: *Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Ryan Dickson via Servercert-wg <servercert-wg at cabforum.org>
> *Date: *Tuesday, 1. October 2024 at 19.59
> *To: *ServerCert CA/BF <servercert-wg at cabforum.org>
> *Subject: *[Servercert-wg] Discussion Period Begins - Ballot SC-080 V2:
> "Sunset the use of WHOIS to identify Domain Contacts and relying DCV
> Methods”
>
>
> *Purpose of Ballot SC-080 V2:*This ballot proposes updates to the
> Baseline Requirements for the Issuance and Management of Publicly-Trusted
> TLS Server Certificates (TLS BRs) to address concerns regarding the use of
> WHOIS and HTTPS websites for identifying Domain Contacts.
>
>
> *Background:*This ballot intends to accomplish two objectives, originally
> described in [1].
>
>
> Objective 1: Enhance WHOIS/RDAP validation of gTLDs with comparable
> security properties to DNS-based validation and sunset WHOIS/RDAP for
> ccTLDs.
>
> *Justification:*
>
> - A recent disclosure [2] demonstrated how threat actors could exploit
> deficiencies in the WHOIS protocol and WHOIS tools served via HTTPS
> websites to obtain fraudulent TLS certificates.
> - Discussions within the Mozilla Dev Security Policy (MDSP) community
> [3] further expressed corresponding risks related to WHOIS, while also
> noting that ccTLDs may not maintain accurate or up-to-date WHOIS server
> records. Several examples of inoperative WHOIS servers for ccTLDs were
> identified.
> - Discussion in [4] further called into question the reliability of
> ccTLD WHOIS servers given, per IANA, there is no global policy requirement
> for ccTLD managers to operate a WHOIS server, and if they do, what kind of
> information is provided.
> - Solutions to strengthen existing WHOIS lookup methods were proposed
> in [5] and are considered in this ballot.
>
>
>
> Objective 2: Sunset Methods 3.2.2.4.2 (“Email, Fax, SMS, or Postal Mail to
> Domain Contact”) and 3.2.2.4.15 (“Phone Contact with Domain Contact”).
>
> *Justification:*
>
> - While solutions to strengthen WHOIS-relying DCV methods are
> considered in this ballot (see above), there is limited public evidence of
> significant reliance on these methods, including in response to [3] and [6].
> - Instead, discussion has identified at least one CA Owner has already
> sunset reliance on WHOIS [7], and another that has changed its approach [8]
> for relying on WHOIS since disclosure of [2].
> - More modern and heavily relied-upon DCV methods offer advantages
> over the existing WHOIS-based methods, including greater opportunity for
> seamless certificate lifecycle management automation (e.g., [9] and [10]),
> while also benefiting from recently improved security practices [11]. These
> methods can also more effectively align subscriber capabilities with
> agility and resilience expectations necessary to respond to the revocation
> timelines described in the TLS BRs [12].
> - Beyond the above, previous discussions within the CA/Browser Forum
> have raised concerns about the perceived value (e.g., [13]) and security
> (e.g., [14]) of the DCV methods relying on WHOIS, further supporting the
> rationale for their gradual sunset.
>
>
> *Benefits of adoption:*
>
> - Enhanced Security: Eliminates reliance on outdated and vulnerable
> DCV methods that cannot consistently provide the security required by the
> TLS BRs, or benefit from recent DCV security enhancements (i.e.,
> Multi-Perspective Issuance Corroboration [11]).
> - Increased Agility: Encourages site owners to transition to modern
> DCV methods, creating opportunities for faster, more efficient, and less
> error-prone certificate lifecycle management.
> - Opportunity for Innovation: Promotes the development of new and/or
> improved DCV methods, fostering innovation that may enhance the overall
> security and agility of the ecosystem.
>
>
> *Proposed Key Dates:*
>
> The effective dates considered in this update are intended to 1) address
> the immediate concerns identified by [2], and 2) offer near-term and
> longer-term transition periods for subscribers and CA Owners relying on
> existing implementations of these methods.
>
> - January 15, 2025: (1) Prohibit the use of RFC 3912 (WHOIS) and HTTPS
> websites to identify Domain Contact information. (2) Prohibit the reuse of
> DCV relying on information obtained using these technologies. (3) Prohibit
> WHOIS-based DCV methods for Subscriber Certificates containing ccTLDs. (4)
> CAs MUST NOT rely on cached WHOIS/RDAP data more than 48 hours old.
> - July 15, 2025: (1) Sunset DCV Methods 3.2.2.4.2 ("Email, Fax, SMS,
> or Postal Mail to Domain Contact") and 3.2.2.4.15 ("Phone Contact with
> Domain Contact"). (2) Prior validations using these methods and validation
> data gathered therein MUST NOT be used to issue new Subscriber Certificates.
>
>
> *Proposal Revision History:*
>
> - Pre-Ballot Version #1 [4]
> - Ballot Version #1 [7]
> - Version #2 Pre-Release [17] and discussion [18]
> - Version #2 (this version) [19]
>
>
> The following motion has been proposed by Ryan Dickson and Chris Clements
> of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign)
> and Pedro Fuentes (OISTE).
>
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted TLS Server Certificates” (“Baseline
> Requirements”), based on Version 2.0.7.
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
>
> https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..7f2b54cfa5b89f41458a88211566ce508c464804
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> *Discussion (no less than 7 days)*
>
> - Start: 2024-10-01 17:00:00 UTC
> - End no earlier than: 2024-10-08 17:00:00 UTC
>
>
> *Vote for approval (7 days)*
>
> - Start: TBD
> - End: TBD
>
>
>
> Comments are welcome either on-list or with suggested edits via GitHub
> (preferred) at [19].
>
>
>
> Thanks,
>
> Ryan
>
>
>
>
>
> *References:*
>
> [1]
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004900.html
> [2]
> https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
> [3]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U/m/hKJOz3XzAAAJ
> [4]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA/m/oDNWxtPwAQAJ
> [5]
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004839.html
> [6]
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004844.html
> [7]
> https://aws.amazon.com/blogs/security/aws-certificate-manager-will-discontinue-whois-lookup-for-email-validated-certificates/
> [8] https://bugzilla.mozilla.org/show_bug.cgi?id=1917896
> [9]
> https://cabforum.org/working-groups/server/baseline-requirements/requirements/#32247-dns-change
> [10]
> https://cabforum.org/working-groups/server/baseline-requirements/requirements/#322419-agreed-upon-change-to-website---acme
> [11]
> https://cabforum.org/working-groups/server/baseline-requirements/requirements/#3229-multi-perspective-issuance-corroboration
> [12]
> https://cabforum.org/working-groups/server/baseline-requirements/requirements/#491-circumstances-for-revocation
> [13]
> https://archive.cabforum.org/pipermail/servercert-wg/2018-August/000113.html
> [14] https://lists.cabforum.org/pipermail/validation/2024-July/001995.html
> [15]
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004825.html
> [16]
> https://github.com/ryancdickson/staging/compare/356799f0dcfe11deb0a375a11233403236ab72c9..7a2ea7b33611bebf006a99a9a82729f183143eac
> [17]
> https://github.com/ryancdickson/staging/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..7a2ea7b33611bebf006a99a9a82729f183143eac
> [18] https://github.com/ryancdickson/staging/pull/9
> [19] https://github.com/cabforum/servercert/pull/551
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20241002/2042016d/attachment.html>
More information about the Servercert-wg
mailing list