[Servercert-wg] Sunsetting use of WHOIS to identify Domain Contacts

Ryan Dickson ryandickson at google.com
Mon Sep 16 14:31:44 UTC 2024


All,

In light of recent events where research from WatchTowr Labs demonstrated
how threat actors could exploit WHOIS to obtain fraudulently issued TLS
certificates [1] and follow-on discussions in MDSP [2][3], we drafted an
introductory proposal [4] to sunset the use of WHOIS for identifying Domain
Contacts.

The proposal sets a prohibition against relying on WHOIS to identify Domain
Contacts beginning 11/1/2024.

While publicly-trusted CA Owners are required to disclose and maintain
in-use DCV methods to the CCADB [5], the collected data lacks specificity,
hindering our ability to assess the extent of reliance on WHOIS and the
potential impact of transitioning away from it.

Feedback on the proposal (preferably using comments or suggestions on the
Pull Request via GitHub) along with volunteers for endorsers would be
appreciated.

Thanks,

Ryan

P.S., I apologize if this effort is redundant to discussions already taking
place in the Forum, I was traveling last week and am catching up on email.

[1]
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/

[2]
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U

[3]
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA

[4] https://github.com/cabforum/servercert/pull/548

[5]
https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/65b262f2/attachment.html>


More information about the Servercert-wg mailing list