[Servercert-wg] [External Sender] Re: Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Wed Sep 18 17:35:56 UTC 2024

On 17/9/2024 7:05 μ.μ., Pedro FUENTES via Servercert-wg wrote:
> Could it be that we all agree that WHOIS-related method are so tricky 
> that it deserves to be ditched and the only thing to requires 
> consensus is the deadline to apply?

Can you explain what you mean by "tricky"? We have several challenging 
requirements in the BRs that could also be considered "tricky" :)

Dimitris.

>
> On my particular side, I personally consider that 1/1/2025 is a 
> reasonable date.
>
>> Le 17 sept. 2024 à 17:59, Adriano Santoni via Servercert-wg 
>> <servercert-wg at cabforum.org> a écrit :
>>
>> 
>>
>> Andrew,
>>
>> I was not referring to any WHOIS server, but rather to the 
>> information about domain "owners" that a registrar is supposed to 
>> collect and keep.
>>
>> So you believe that if a CA does the following, the domain contact 
>> email they can (sometimes) get is /unreliable/?
>>
>> 1) Consult the list of accredited domain registrars on the IANA 
>> website (https://www.icann.org/en/accredited-registrars), thus 
>> finding confirmation of one particular registrar's website the CA was 
>> looking for.
>> 2) Access the website found in point 1 above and query the 
>> information available on a certain domain.
>> 3) At this point, sometimes (rarely) obtain, among other information, 
>> also the email address of a domain contact.
>>
>> Note that here I'm not talking about the WHOIS protocol nor WHOIS 
>> servers, but about the information that the domain registrar has the 
>> duty to collect and store (not necessarily publish) about the subject 
>> who registered a domain.
>>
>> Regards,
>>
>> Adriano
>>
>>
>> Il 17/09/2024 17:13, Andrew Ayer ha scritto:
>>> [NOTICE: Pay attention - external email - Sender isagwa at andrewayer.name ]
>>>
>>>
>>>
>>>
>>>
>>> On Tue, 17 Sep 2024 07:21:28 +0000
>>> Adriano Santoni via Servercert-wg<servercert-wg at cabforum.org> wrote:
>>>
>>>> I believe that the /interactive
>>>> /query of the domain registrar, directly on its website, can be
>>>> considered reliable to the extent that the CA is confident that it is in
>>>> fact consulting the "right" website.
>>> CAs were not consulting the right WHOIS server, despite a database of
>>> correct WHOIS servers existing (at least for gTLDs).  How would the problem
>>> be better when it comes to finding the "right" website?
>>>
>>> The gTLD registry agreement requires gTLD operators to update the IANA
>>> Rootzone Database when their WHOIS server changes; I don't see a
>>> similar requirement for keeping a database of website URLs up-to-date.
>>>
>>> Regards,
>>> Andrew
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/c7bfc42a/attachment.html>