[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Sep 18 17:27:16 UTC 2024 

Thanks for steering the discussion, Ryan, and for offering summaries and 
recaps that help it move forward.

On 17/9/2024 7:04 μ.μ., Ryan Dickson via Servercert-wg wrote:
> Hi all,
>
> Thanks for your feedback thus far! Understanding other perspectives 
> from the community has been very helpful.
>
> Trying to focus my response on the themes I understand from the last 
> 24hrs of discussion in hopes of helping us move forward in a common 
> direction.
[...]
>
> Questions: Can those willing to share an opinion help me better 
> understand…
>
>   * What criteria this community should use to establish an acceptable
>     timeline for sunsetting or improving a DCV method that’s been
>     demonstrated as either 1) capable of being abused or 2) offers
>     unreliable security properties?
>   * A description of active reliance on RFC 3912 lookups and/or
>     lookups relying on HTTPS Websites hosting WHOIS tools?
>   * How do we feel about the approach described in [5]?
>

I will only comment on the approach described in [5] to ban WHOIS/RDAP 
for ccTLDs in general (of course I agree with the first suggestion in [5]).

I would consider it unfair to ban all ccTLDs when some of those 
operators do a great job at operating and maintaining these critical 
services, even better than some gTLD operators. Granted that there is no 
global oversight of their operations, however there are multiple 
jurisdictions that take these services very seriously, enough to apply 
strict supervision like the one applied to power plants, public 
transportation, telecommunication providers and nuclear factories!

An alternative suggestion would be to create a block list of ccTLDs for 
which there is undisputed evidence that certain Registrars/Operators are 
not performing their duties in a reliable way. But even in that case, 
why would the Forum want to be in a position to deprive Domain Owners of 
Domain Names under "unreliable" Registrars, the right to obtain a 
publicly-trusted certificate to secure communications? The Forum has 
even established methods to securely offer certificates to onion Domain 
Names that are outside the DNS.


Best regards,
Dimitris.

>
> Thanks again,
> Ryan
>
> [1] 
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U/m/3Gy6LcHsAQAJ
> [2] 
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U/m/FRXLDjXwAQAJ
> [3] 
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004834.html 
>
> [4] 
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004840.html 
>
> [5] 
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004839.html 
>
> [6] 
> https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004835.html
>
> On Tue, Sep 17, 2024 at 11:22 AM Maria Merkel <maria at maria.cc> wrote:
>
>     It is worth adding that ICANN not only requires Whois availability
>     in their agreements with gTLDs, but actually monitors it, so it is
>     unlikely that these could have a non-functioning entry for very
>     long:
>     https://www.icann.org/en/system/files/files/presentation-slam-13may17-en.pdf
>
>
>     In most of these takeover situations, I would assume the Whois
>     server was first offline for an extended period of time.
>
>     I also think the timeline for disallowing Whois is too short, and
>     maybe disallowing it for ccTLDs only first may be an acceptable
>     compromise.
>
>     On Tue, Sep 17, 2024 at 5:13 PM Andrew Ayer via Servercert-wg
>     <servercert-wg at cabforum.org> wrote:
>
>         Hi Ryan,
>
>         We've seen evidence of two distinct security issues:
>
>         1. CAs relying on an out-of-date database of WHOIS servers
>         (original
>         WatchTowr analysis).
>
>         2. ccTLDs not maintaining an accurate record of their WHOIS
>         server in
>         the IANA Root Zone database (Hanno's analysis at [1]).
>
>         We have not seen any evidence of issues with the WHOIS servers for
>         gTLDs in IANA's database.  Indeed, all 17 examples of outdated
>         WHOIS
>         servers are for ccTLDs despite there being 4 times as many
>         gTLDs as
>         ccTLDs.
>
>         I don't think it's reasonable to generalize to gTLDs based on
>         ccTLDs,
>         as ccTLDs aren't bound by any registry agreements and have
>         historically
>         been operated less competently than gTLDs.  For example:
>
>         Outages of .io NS servers:
>         https://hackernoon.com/stop-using-io-domain-names-for-production-traffic-b6aa17eeac20
>
>         Hijacking NS servers for .io:
>         https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/
>
>         Hijacking NS servers for .cd:
>         https://labs.detectify.com/writeups/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/
>
>         Registry compromise of .tg:
>         https://groups.google.com/g/mozilla.dev.security.policy/c/4kj8Jeem0EU/m/GvqsgIzSAAAJ
>
>         The last three issues were security-critical and impacted
>         DNS-based
>         domain validation. It seems only the last issue was noticed by the
>         WebPKI community, and the response was scoped only to .tg.
>
>         A more targeted ballot would:
>
>         1. Require CAs to perform WHOIS lookups by sending a query to
>         IANA's
>         WHOIS server and following the referral to the TLD's WHOIS server.
>         Require CAs to perform RDAP lookups by using IANA's bootstrap
>         file.
>         Ban the use of HTTPS websites.  I believe this would give
>         WHOIS/RDAP
>         validation comparable security properties to DNS-based validation
>         for gTLDs.  Note that the gTLD registry agreement places the same
>         requirements on updating WHOIS/RDAP server information as it
>         does on
>         updating DNS server information.[2]
>
>         2. Ban WHOIS/RDAP for ccTLDs.
>
>         Regrettably, parsing emails sent to a Domain Contact is often the
>         easiest way to implement automated validation for a large
>         number of
>         domains, since it allows delegation to a single central point,
>         using
>         configuration that is often already in place (WHOIS record contact
>         information). Delegating DNS records using CNAME (e.g. with
>         [3]) is
>         better, but not as easy because it requires the subscriber to
>         operate
>         public-facing infrastructure.  So I think that banning WHOIS,
>         particularly on this timeline, would lead to a net reduction in
>         automation, and I don't believe this is justified by the available
>         evidence when a more targeted fix is available.
>
>         Regards,
>         Andrew
>
>         [1]
>         https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240913151529.2289f19d%40computer
>
>         [2]
>         https://itp.cdn.icann.org/en/files/registry-agreements/base-registry-agreement-21-01-2024-en.html
>         "IANA Rootzone Database"
>
>         [3] https://github.com/joohoi/acme-dns/
>         _______________________________________________
>         Servercert-wg mailing list
>         Servercert-wg at cabforum.org
>         https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/00dd1983/attachment-0001.html>

More information about the Servercert-wg mailing list