[cabf_validation] Proposal for Adding RDAP

Ryan Sleevi sleevi at google.com
Tue May 1 08:16:34 MST 2018 

On Tue, May 1, 2018 at 9:03 AM, Tim Hollebeek via Validation <
validation at cabforum.org> wrote:

> I’ll endorse, and I have comments.
>
>
>
> First, thanks for doing this, and thanks for the excellent observation
> that the (IMHO wrong) interpretation that “WHOIS” is strictly limited to
> the IETF WHOIS protocol would also prohibit getting the information from
> the registry/registrar’s web interface.  I know that doing that is
> ridiculously common throughout the industry.
>
>
>
> Do we want to define “WHOIS information” instead of “WHOIS”?  That neatly
> sidesteps the issue of “WHOIS, the protocol” vs “WHOIS, the data”.
>
>
>
> On the question of authentication, I love authentication, but there is the
> question of whether this is a “clarification” ballot or an “improve the
> rules” ballot.  The initial goal of this ballot was the former, and “WHOIS,
> the protocol” is unauthenticated, so if we stick to that goal, then no.
>
>
>
> However, if there is enough support, I would love to support something
> along these lines:
>
>
>
> CAs MAY continue to use WHOIS.
>
> CAs MAY use HTTPS interfaces and APIs if they validate that the server is
> operated by the registry  / registrar.
>

While subtle, I think this is an important and valuable contribution -
namely, that it changes 'a registrar' to 'the registrar'.

The subtlety is that the goal is to ensure the information is from an
authoritative source. You should not query WHOIS services on an unrelated
registry/registrar to determine the status for the domain - that's simply
trying to use registrars as a RA (or stretching credulity, to argue it's a
QIIS).


> CAs SHOULD prefer RDAP when available.
>
CAs MUST use authenticated HTTPS and/or RDAP methods when supported by the
> registry / registrar.
>
>
>
> But I think that might not have majority support.  It does have the
> advantage that it slowly moves the industry towards modern, authenticated
> methods as registrars and registries start supporting them.  Which should
> only take a century or two.
>

I agree that it's unlikely to have support - even from browsers - in part
as that RDAP is still in its pilot phase. Consider that ICANN's first RDAP
profile resulted in a request for ICANN to *not* use that profile from the
registries, and the pilot will end in July 2018. As exciting as RDAP is,
let's not rush to something that is still (intentionally) going through
careful rollout and experimentation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180501/6395d17a/attachment.html>

More information about the Validation mailing list