[Servercert-wg] [External Sender] Re: Re: Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Maria Merkel maria at maria.cc
Wed Sep 18 09:23:22 UTC 2024


Adding to this, in most cases Whois is redacted these days anyways (and
RDAP in the ICANN recommended implementation is entirely useless for email
validation as it requires all email addresses to be replaced by a contact
form going through the registrar).

The only reliable use case I could think of is where the registrar is also
the SSL CA and thus has unredacted access to its registration data. But
this use case is already allowed separately (3.2.2.4.12 Validating
Applicant as a Domain Contact), so it would still be allowed after removing
Whois as an allowed validation method.

It would be very useful to have numbers on how often this method is
actually used, maybe CAs could share some insight here?

I do agree that Whois based validation should be retired, but the timeline
seems too quick.

Maria Merkel

On Wed, Sep 18, 2024 at 11:14 AM Q Misell via Servercert-wg <
servercert-wg at cabforum.org> wrote:

>
> Consulting with the IANA registrar falls apart when a reseller is
> involved. Sometimes the correct contact data is held by a reseller not the
> registrar of record.
>
> I don't think we should allow validation based on Registration Directory
> Services <https://e.as207960.net/w4bdyj/U0u4dSeajXbodURp> knowing how
> unreliable they can be.
> ------------------------------
>
> Any statements contained in this email are personal to the author and are
> not necessarily the statements of the company unless specifically stated.
> AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
> registered in Wales under № 12417574
> <https://e.as207960.net/w4bdyj/9RSVdvm0MrsRNsbs>, LEI
> 875500FXNCJPAPF3PD10. ICO register №: ZA782876
> <https://e.as207960.net/w4bdyj/KbjUXXJAKmBFs6zI>. UK VAT №: GB378323867.
> EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
> 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru
> maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca
> Digital, is a company registered in Estonia under № 16755226. Estonian VAT
> №: EE102625532. Glauca Digital and the Glauca logo are registered
> trademarks in the UK, under № UK00003718474 and № UK00003718468,
> respectively.
>
>
> On Wed, 18 Sept 2024 at 10:59, Amir Omidi via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> I do not agree. What’s the point of keeping this bespoke method
>> available? These options create complexity and complexity creates security
>> vulnerabilities. In what situation would this method be useful where DNS
>> currently can’t solve that need?
>>
>> On Wed, Sep 18, 2024 at 04:56 Adriano Santoni via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> I agree if by "WHOIS-related" methods we mean any method based on the
>>> WHOIS protocol, either directly or via protocol gateways (e.g. web-based
>>> interfaces to WHOIS records). And I support the WHOIS deprecation
>>> initiative in this sense, since it has been shown that it may be unreliable.
>>>
>>> However, where the domain contacts information is obtained, e.g. via the
>>> web, from an IANA-accredited domain registrar and is *not* based on WHIOS,
>>> then I think it can be used.
>>> I assume everyone agrees as long as no one raises a hand to object.
>>>
>>>
>>> Adriano
>>>
>>> Il 17/09/2024 18:04, Pedro FUENTES ha scritto:
>>>
>>> Could it be that we all agree that WHOIS-related method are so tricky
>>> that it deserves to be ditched and the only thing to requires consensus is
>>> the deadline to apply?
>>>
>>> On my particular side, I personally consider that 1/1/2025 is a
>>> reasonable date.
>>>
>>> Le 17 sept. 2024 à 17:59, Adriano Santoni via Servercert-wg
>>> <servercert-wg at cabforum.org> <servercert-wg at cabforum.org> a écrit :
>>>
>>> 
>>>
>>> Andrew,
>>>
>>> I was not referring to any WHOIS server, but rather to the information
>>> about domain "owners" that a registrar is supposed to collect and keep.
>>>
>>> So you believe that if a CA does the following, the domain contact email
>>> they can (sometimes) get is *unreliable*?
>>>
>>> 1) Consult the list of accredited domain registrars on the IANA website (
>>> https://www.icann.org/en/accredited-registrars
>>> <https://e.as207960.net/w4bdyj/H1JzZCLPVSEY13XJ>), thus finding
>>> confirmation of one particular registrar's website the CA was looking for.
>>> 2) Access the website found in point 1 above and query the information
>>> available on a certain domain.
>>> 3) At this point, sometimes (rarely) obtain, among other information,
>>> also the email address of a domain contact.
>>>
>>> Note that here I'm not talking about the WHOIS protocol nor WHOIS
>>> servers, but about the information that the domain registrar has the duty
>>> to collect and store (not necessarily publish) about the subject who
>>> registered a domain.
>>>
>>> Regards,
>>>
>>> Adriano
>>>
>>>
>>> Il 17/09/2024 17:13, Andrew Ayer ha scritto:
>>>
>>> [NOTICE: Pay attention - external email - Sender is agwa at andrewayer.name ]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, 17 Sep 2024 07:21:28 +0000
>>>
>>> Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org> <servercert-wg at cabforum.org> wrote:
>>>
>>>
>>>
>>>
>>> I believe that the /interactive
>>>
>>> /query of the domain registrar, directly on its website, can be
>>>
>>> considered reliable to the extent that the CA is confident that it is in
>>>
>>> fact consulting the "right" website.
>>>
>>>
>>> CAs were not consulting the right WHOIS server, despite a database of
>>>
>>> correct WHOIS servers existing (at least for gTLDs).  How would the problem
>>>
>>> be better when it comes to finding the "right" website?
>>>
>>>
>>>
>>> The gTLD registry agreement requires gTLD operators to update the IANA
>>>
>>> Rootzone Database when their WHOIS server changes; I don't see a
>>>
>>> similar requirement for keeping a database of website URLs up-to-date.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Andrew
>>>
>>>
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>>
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=
>>> <https://e.as207960.net/w4bdyj/nFNVYlUfxuxcg038>
>>>
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>> <https://e.as207960.net/w4bdyj/3ZZB5DEI1xwMn0DE>
>>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>> <https://e.as207960.net/w4bdyj/JXP5t0JjVxRBmGcU>
>>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/5b9437aa/attachment-0001.html>


More information about the Servercert-wg mailing list