[Servercert-wg] Sunsetting use of WHOIS to identify Domain Contacts

Arvid Vermote arvid.vermote at globalsign.com
Mon Sep 16 15:04:27 UTC 2024


Hi Ryan

GlobalSign would like to endorse this proposal.

Thanks

Arvid

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Dickson via Servercert-wg
Sent: Monday, 16 September 2024 16:33
To: ServerCert CA/BF <Servercert-wg at cabforum.org>
Subject: [Servercert-wg] Sunsetting use of WHOIS to identify Domain Contacts


All,


In light of recent events where research from WatchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates [1] and follow-on discussions in MDSP [2][3], we drafted an introductory proposal [4] to sunset the use of WHOIS for identifying Domain Contacts.


The proposal sets a prohibition against relying on WHOIS to identify Domain Contacts beginning 11/1/2024.


While publicly-trusted CA Owners are required to disclose and maintain in-use DCV methods to the CCADB [5], the collected data lacks specificity, hindering our ability to assess the extent of reliance on WHOIS and the potential impact of transitioning away from it.


Feedback on the proposal (preferably using comments or suggestions on the Pull Request via GitHub) along with volunteers for endorsers would be appreciated.

Thanks,

Ryan


P.S., I apologize if this effort is redundant to discussions already taking place in the Forum, I was traveling last week and am catching up on email.


[1] https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/

[2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U

[3] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA

[4] https://github.com/cabforum/servercert/pull/548

[5] https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/cfc2543e/attachment-0001.html>


More information about the Servercert-wg mailing list