[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Mon Sep 16 19:31:20 UTC 2024

Hi Mike,

The immediate thought was to allow existing certificates to expire
naturally, but it also seems valuable to review the community’s past
response(s) when having sunset other DCV methods (like here
<https://cabforum.org/2020/08/14/ballot-sc33-tls-using-alpn-method/>). This
<https://groups.google.com/g/mozilla.dev.security.policy/c/RHsIInIjJA0/m/LKrNi35aAQAJ>
thread appears informative, and I suspect there are others like it.

Happy to hear additional opinions from the community, especially those with
direct lessons learned from the past.

Thanks,

Ryan

On Mon, Sep 16, 2024 at 12:59 PM Mike Shaver <mike.shaver at gmail.com> wrote:

> Thanks for the action on this.
>
> Should this ballot include guidance or instruction for CAs who have been
> using Whois DCV previously? Are we content to simply let Whois-validated
> certs expire, or should CAs revalidate domain control for relevant certs
> using an approved method? If domain control can be validated, then I don’t
> think there would be any need to revoke/reissue (unless the CPS calls out
> Whois DCV maybe? I don’t know of any such). If it *can’t* be revalidated,
> then revoking the certificate is probably appropriate!
>
> Mike
>
> On Mon, Sep 16, 2024 at 12:15 PM Ryan Dickson via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Purpose of Ballot SC-080 V1:
>>
>>
>>
>> This Ballot proposes updates to the Baseline Requirements for the
>> Issuance and Management of Publicly-Trusted TLS Server Certificates
>> (i.e., TLS BRs) related to sunsetting the use of WHOIS when identifying
>> Domain Contacts.
>>
>>
>> Background:
>>
>>
>> In light of recent events where research from WatchTowr Labs demonstrated
>> how threat actors could exploit WHOIS to obtain fraudulently issued TLS
>> certificates [1] and follow-on discussions in MDSP [2][3], we drafted an
>> introductory proposal [4] to sunset the use of WHOIS for identifying Domain
>> Contacts.
>>
>>
>> The proposal sets a prohibition against relying on WHOIS to identify
>> Domain Contacts beginning 11/1/2024. At the same time, it also prohibits
>> use of DCV reuse where WHOIS was used as the source of truth for a Domain
>> Contact.
>>
>>
>>
>> Proposal Revision History:
>>
>>
>>    - Pre-Ballot Version #1 [4]
>>
>>
>>
>> Previous Versions of this Ballot:
>>
>>
>>    - N/A
>>
>>
>> References:
>>
>> [1]
>> https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
>>
>> [2]
>> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U
>>
>> [3]
>> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA
>>
>> [4] https://github.com/cabforum/servercert/pull/548
>>
>> [5]
>> https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787
>>
>>
>>
>> The following motion has been proposed by Ryan Dickson and Chris Clements
>> of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign)
>> and Pedro Fuentes (OISTE).
>>
>>
>> — Motion Begins —
>>
>>
>>
>> This ballot modifies the “Baseline Requirements for the Issuance and
>> Management of Publicly-Trusted TLS Server Certificates” (“Baseline
>> Requirements”), based on Version 2.0.7.
>>
>>
>>
>> MODIFY the Baseline Requirements as specified in the following Redline:
>>
>>
>> https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9
>>
>>
>>
>> — Motion Ends —
>>
>>
>>
>> This ballot proposes a Final Maintenance Guideline. The procedure for
>> approval of this ballot is as follows:
>>
>>
>>
>> Discussion (7 days)
>>
>> - Start: 2024-09-16 16:00:00 UTC
>>
>> - End no earlier than: 2024-09-23 16:00:00 UTC
>>
>>
>>
>> Vote for approval (7 days)
>>
>> - Start: TBD
>>
>> - End: TBD
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/798a1e45/attachment.html>