[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Wed Sep 18 16:37:26 UTC 2024

Domain Name Registrars may use the Domain Contact information in their 
records, and published using the WHOIS/RDAP/WWW protocols, to contact a 
Domain Owner for password resets or modifications to the Domain Name 
Servers.

If Domain Name Registrars use that information to make changes to the 
Name Servers associated with a Domain Name, which is way more critical 
for the security of that actual Domain Name, why shouldn't the WebPKI 
rely on it for demonstration of ownership of the Domain Name?

Over the years, most Registrars have implemented additional controls 
like stronger authentication using 2FA and others, but the fundamental 
issue exists. What happens when a Domain Owner forgets their password? 
Each Registrar may have a different approach to handle this particular 
situation but I assure you most of them use the Domain Contact 
information to perform this reset.

BTW, the same principles guide the IP address blocks 
assignment/management, and also still rely heavily on WHOIS.

Dimitris.

On 18/9/2024 3:43 μ.μ., Mike Shaver via Servercert-wg wrote:
> Here's maybe a helpful way to frame the discussion: if the BRs didn't 
> permit WHOIS/domain-registry-website DCV right now, and someone 
> proposed adding it, what would we need to see in the associated ballot 
> to be comfortable that it didn't represent a weakening of the 
> sans-WHOIS DCV model? Would we permit it only for gTLD based on IANA 
> requiring that there at least be a server operated? Would we permit 
> unencrypted RFC-3912 wire transactions at all, in any case?
>
> The migration timeline will be a source of tension between "improve 
> the security of the web" and "impose work on people who have been 
> relying on the ease of WHOIS DCV", but it's not clear to me that this 
> group even has consensus on what a desirable 
> communicate-with-domain-registrant DCV would look like after a 
> successful migration period.
>
> Mike
>
>
> On Wed, Sep 18, 2024 at 8:38 AM Mike Shaver via Servercert-wg 
> <servercert-wg at cabforum.org> wrote:
>
>     Hi Andrew,
>
>     Thanks for a really thoughtful analysis here!
>
>     On Tue, Sep 17, 2024 at 11:13 AM Andrew Ayer via Servercert-wg
>     <servercert-wg at cabforum.org> wrote:
>
>         Delegating DNS records using CNAME (e.g. with [3]) is
>         better, but not as easy because it requires the subscriber to
>         operate
>         public-facing infrastructure.
>
>
>     I had understood that SCWG's BRs and the issuance of web PKI certs
>     was indeed intended to only be for internet-accessible
>     infrastructure anyway. Is it really a problem that SCWG needs to
>     solve if people are trying to piggyback off the web PKI for their
>     internal systems, rather than manage their own PKI model? This
>     could be yet another nudge for people to stop doing that, which
>     IMO would be a positive side-effect and not a counter-argument.
>
>     Mike
>
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/80676a03/attachment.html>