[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Ryan Dickson ryandickson at google.com
Mon Sep 16 16:15:06 UTC 2024


Purpose of Ballot SC-080 V1:



This Ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates (i.e., TLS BRs)
related to sunsetting the use of WHOIS when identifying Domain Contacts.


Background:


In light of recent events where research from WatchTowr Labs demonstrated
how threat actors could exploit WHOIS to obtain fraudulently issued TLS
certificates [1] and follow-on discussions in MDSP [2][3], we drafted an
introductory proposal [4] to sunset the use of WHOIS for identifying Domain
Contacts.


The proposal sets a prohibition against relying on WHOIS to identify Domain
Contacts beginning 11/1/2024. At the same time, it also prohibits use of
DCV reuse where WHOIS was used as the source of truth for a Domain Contact.



Proposal Revision History:


   - Pre-Ballot Version #1 [4]



Previous Versions of this Ballot:


   - N/A


References:

[1]
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/

[2]
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U

[3]
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA

[4] https://github.com/cabforum/servercert/pull/548

[5]
https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787



The following motion has been proposed by Ryan Dickson and Chris Clements
of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign)
and Pedro Fuentes (OISTE).


— Motion Begins —



This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted TLS Server Certificates” (“Baseline
Requirements”), based on Version 2.0.7.



MODIFY the Baseline Requirements as specified in the following Redline:

https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9



— Motion Ends —



This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:



Discussion (7 days)

- Start: 2024-09-16 16:00:00 UTC

- End no earlier than: 2024-09-23 16:00:00 UTC



Vote for approval (7 days)

- Start: TBD

- End: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/8999d090/attachment-0001.html>


More information about the Servercert-wg mailing list