[cabf_validation] Proposal for Adding RDAP

Wayne Thayer wthayer at mozilla.com
Tue May 1 09:59:12 MST 2018


On Tue, May 1, 2018 at 3:16 PM, Ryan Sleevi <sleevi at google.com> wrote:

>
>
> On Tue, May 1, 2018 at 9:03 AM, Tim Hollebeek via Validation <
> validation at cabforum.org> wrote:
>
>> I’ll endorse, and I have comments.
>>
>>
>>
>> First, thanks for doing this, and thanks for the excellent observation
>> that the (IMHO wrong) interpretation that “WHOIS” is strictly limited to
>> the IETF WHOIS protocol would also prohibit getting the information from
>> the registry/registrar’s web interface.  I know that doing that is
>> ridiculously common throughout the industry.
>>
>>
>>
>> Do we want to define “WHOIS information” instead of “WHOIS”?  That neatly
>> sidesteps the issue of “WHOIS, the protocol” vs “WHOIS, the data”.
>>
>>
>>
> The use of the term WHOIS in the BRs is inconsistent, but the following
definition would work:

WHOIS: information retrieved directly from the Domain Name Registrar or
registry operator via the protocol defined in RFC 3912, the Registry Data
Access Protocol defined in RFC 7482, or an HTTPS website.

On the question of authentication, I love authentication, but there is the
>> question of whether this is a “clarification” ballot or an “improve the
>> rules” ballot.  The initial goal of this ballot was the former, and “WHOIS,
>> the protocol” is unauthenticated, so if we stick to that goal, then no.
>>
>>
>>
>> However, if there is enough support, I would love to support something
>> along these lines:
>>
>>
>>
>> CAs MAY continue to use WHOIS.
>>
>> CAs MAY use HTTPS interfaces and APIs if they validate that the server is
>> operated by the registry  / registrar.
>>
>
> While subtle, I think this is an important and valuable contribution -
> namely, that it changes 'a registrar' to 'the registrar'.
>
> The subtlety is that the goal is to ensure the information is from an
> authoritative source. You should not query WHOIS services on an unrelated
> registry/registrar to determine the status for the domain - that's simply
> trying to use registrars as a RA (or stretching credulity, to argue it's a
> QIIS).
>
>
My word choice was intentional because I'm confident that this happens
today. I modified the definition above to account for this, but CAs should
be aware that this change could have a big impact on the way they query for
WHOIS data.

CAs SHOULD prefer RDAP when available.
>>
> CAs MUST use authenticated HTTPS and/or RDAP methods when supported by the
>> registry / registrar.
>>
>>
>>
>> But I think that might not have majority support.  It does have the
>> advantage that it slowly moves the industry towards modern, authenticated
>> methods as registrars and registries start supporting them.  Which should
>> only take a century or two.
>>
>
> I agree that it's unlikely to have support - even from browsers - in part
> as that RDAP is still in its pilot phase. Consider that ICANN's first RDAP
> profile resulted in a request for ICANN to *not* use that profile from the
> registries, and the pilot will end in July 2018. As exciting as RDAP is,
> let's not rush to something that is still (intentionally) going through
> careful rollout and experimentation.
>

+1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180501/7b4bc068/attachment-0001.html>


More information about the Validation mailing list