[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Mon Sep 16 20:39:48 UTC 2024

Hi Dimitris,

On Mon, Sep 16, 2024 at 2:07 PM Dimitris Zacharopoulos (HARICA) via
Servercert-wg <servercert-wg at cabforum.org> wrote:

> Is there feedback about the number of TLDs and possible certificate
> volumes that might be affected by this attack?
>
> The majority of validations performed by CAs using WHOIS is done in gTLDs
> which have decent rules for monitoring and supervising their operators. The
> biggest issue is with ccTLDs, which in majority work ok. Unfortunately,
> most of them do not disclose email contact information, making them
> unusable for Domain Validation.
>

I’ll admit that I am not very familiar with how gTLD operators manage their
Whois services, or ensure prompt update when domains lapse or similar.
Could you provide some more detail about the “decent rules” in place, and
how they align with the general standard of hygiene and reliability that is
required of other DCV methods? As far as I can tell there isn’t even a
provision for server authentication of the WHOIS protocol, meaning that it
could be subverted by any MITM or DNS-poisoning adversary, for any domain.

>
As an example, we recently saw a CA reissue certificates because the
(very-widely-relied-upon) Google DNS service they used for domain
validation did not *guarantee* that it validated DNSSEC. That is an
appropriately high level of care for web PKI certificates, IMO.

Why are we causing such a large disturbance as if the Global Internet is
> unsafe by this attack when the impact is 1 or 2 vanity TLDs for which
> mitigations exist (like, use a better library or use the latest updated
> list from IANA)?
>

I don’t see how using the updated list from IANA (updated how often and
with what latency) overcomes the weaknesses in WHOIS itself, but I also
don’t think that we should be treating TLDs differently in terms of the
standards of authentication required for obtaining a certificate. As far as
I know, no CA has ever tried to make the argument that an incident related
to certificate issuance was of lesser import or urgency because it was for
a little-used service or domain. I assume (and indeed hope) that such an
argument would be ill-received by the root programs. I don’t expect that
relying parties grade the web PKI’s assurances on a curve based on what
domain they’re connecting to, either. And there is of course no telling
which TLD will become “hot” for popular services at any time (as happened
with .io and .ai for example, or even .rs).

I may be misunderstanding your argument, though. Are you not saying that
it’s no big deal if someone other than the current domain owner can get a
certificate for a domain, as long as it’s a “minor” TLD?

That plea for domain equality aside, I think describing .mobi as a “vanity”
domain is ahistorical, given its origins and two-decade history.  “
amazon.mobi” was registered in 2006 and remains active to this day; I
expect that it has received a fair bit of traffic from users intending to
reach Amazon. The .mobi domain seems to have some level of control applied
to who can register what, because google.mobi didn’t exist except when the
service was under the security researchers’ control.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/5c8bf4af/attachment.html>