[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Tobias S. Josefowitz tobij at opera.com
Wed Sep 18 16:38:28 UTC 2024 

Hi Andrew,

On Wed, 18 Sep 2024, Andrew Ayer wrote:

> On Wed, 18 Sep 2024 14:51:52 +0000
> "Tobias S. Josefowitz via Servercert-wg" <servercert-wg at cabforum.org>
> wrote:
>
>> While it may be possible to securely implement automation based on
>> this that does so securely, checking the CSR and correlates it to the
>> CSR automatically handed in... it sounds unlikely that the majority
>> of such implementations do this properly. It would be reasonably
>> involved to arrive at an actually secure automated process, and it
>> would so easily lend itself to an insecure implementation.
>
> You can see in Amazon's documentation
> (https://docs.aws.amazon.com/acm/latest/userguide/email-automation.html)
> that the email clearly specifies the account ID of the certificate
> requester and a certificate identifier.  It is critical to validate the
> account ID.  I don't think this is as hard as you're suggesting.

Indeed, thank you for sharing this. I can easily see how one could do 
something useful with this. I am not convinced that's where the majority 
of users of this method necessarily arrive, but I certainly do not want to 
criticize anyone who did.

> Unfortunately, I don't think this is universally true.  ALPN and
> HTTP challenges don't work for wildcards or hostnames that are not
> publicly-accessible on port 80 or 443.  Large organizations usually lock
> down the ability to create DNS records, or are using DNS providers
> without sensible APIs, making it a significant challenge to manage DNS
> challenges at scale.  Being able to delegate certificate validation for
> all domains to a central point is extremely useful.

I still maintain that ACME with automated DNS changes is ultimately the 
better option, DNS hosting options enabling that are readily available as 
well. But I would not like to be forced to transition from one that 
doesn't allow it to one that does for an organization, and specifically 
not in a short timeframe. Point taken.

> In the long term this should not be a reason to keep around WHOIS
> validation, and I support immediately sunsetting WHOIS validation for
> ccTLDs due to the demonstrated problem there.  I just wanted to provide
> an explanation for why sunsetting WHOIS would be disruptive to
> currently-deployed automation solutions.

Thank you for that!

Tobi

More information about the Servercert-wg mailing list